obront
medium
In CurveLPStakingController.sol and BalancerLPStakingController.sol, canDepositAndClaim() adds all reward tokens to the tokensIn array (to add to their account).
However, the deposit() function allows for an address to be inputted, which is used as both the owner of the staked tokens, and to claim the rewards.
If a user inputs such an address, they will not receive reward tokens, but the protocol will incorrectly add these tokens to their account.
Each Controller returns an array of tokensIn that will be added to the user's account, if they don't already hold a balance of that token.
In CurveLPStakingController.sol and BalancerLPStakingController.sol, the canDepositAndClaim() function is called when a user calls deposit() with the additional address and bool arguments.
However, if a user does pass an argument of true for _claim_rewards, they only actually receive the reward tokens if they pass their own address as _addr. If they pass another user's address, that user will receive the reward tokens.
Accounting on user accounts can be thrown off (intentionally or unintentionally), resulting in mismatches between their assets array and hasAsset mapping and the reality of their account.
Manual Review
In canCall(), decode the calldata to get the value of the _addr address. If this value does not equal msg.sender, call the non-claim version of the function (ie canDeposit() instead of canDepositAndClaim()).