Droll Shamrock Jaguar
Medium
As the protocol is going to be deployed on multiple chains "Ethereum, Arbitrum, Rari Chain, zkSync Mainnet, Base, Polygon, OP Mainnet", this could mean that signatures could be reused to stake/stake more on behalf of a user.
There is no chain.id
in the signed data
If a malicious user does a stakeOnBehalf
, stakeMoreOnBehalf
, chainId is missing which means that the same stake can be replayed on a different chain for the same account.
Manual Review
Include the chain.id
in what's hashed