Incorrect modifier results in the inability to set a staked user restriction

Summary

Root Cause

Upon calling StakingPoolToken.setStakeUserRestriction() to set a user restriction, we use this modifier:

    modifier onlyRestricted() {
        require(_msgSender() == stakeUserRestriction, "R");
        _;
    }

The issue is that if a restriction hasn't been set in the first place or has been removed, then this will always revert as the msg.sender can not be address(0) which is the stakeUserRestriction value if it hasn't been set.

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

The staked user restriction is removed or hasn't been set in the first place
There is no way to ever set it again in the future, resulting in a completely broken functionality

Impact

Broken functionality rendering the staked user restriction mechanism completely useless. If a restriction must be set, then it will be impossible.

PoC

No response

Mitigation

Change the modifier to a different one, possibly add the ability for the owner to set it

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

111.md

111.md

Incorrect modifier results in the inability to set a staked user restriction

Summary

Root Cause

Internal Pre-conditions

External Pre-conditions

Attack Path

Impact

PoC

Mitigation

Files

111.md

Latest commit

History

111.md

File metadata and controls

Incorrect modifier results in the inability to set a staked user restriction

Summary

Root Cause

Internal Pre-conditions

External Pre-conditions

Attack Path

Impact

PoC

Mitigation