Claim SHER on behalf of others #271
Labels
0 (Non-critical)
Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
help wanted
Extra attention is needed
Handle
pauliax
Vulnerability details
Impact
In SherClaim consider letting claim SHER tokens on behalf of other users. function add does not have any restrictions on the caller, thus anyone can increase the userClaims of any _user. On the other hand, the claim function only allows msg.sender to withdraw userClaims. If the _user is a smart contract that does not implement the claim functionality, their SHER tokens will be left stuck in the contract. While I expect this is not very likely to happen, I see no harm if you add a claim function with a _user parameter so anyone can help others to claim.
Also, I think it would be nice if ISherClaim interface contained function claim() so that integrators can copy the interface if necessary.
One more thing, you can consider adding a token sweep function to this contract also, and introduce a claim deadline, so an admin can rescue unclaimed or accidentally sent tokens later. But it depends on the intentions, maybe you do not want to enforce users and are okay if some SHER will be left there forever.
Recommended Mitigation Steps
An example implementation:
The text was updated successfully, but these errors were encountered: