When initializing the StaderConfig contract with the initialize function, the admin address is not set in accountsMap[ADMIN] variable, so the getAdmin() function will return address(0). This will cause the loss of the ownership of the VaultProxy contract as its initialize function sets the owner to be staderConfig.getAdmin() which will be address(0).
As it can be seen from the code above, the functions grant the admin role to the _admin address but is does not update accountsMap[ADMIN] variable which by default is equal to address(0).
The VaultProxy contract is normally owned by the admin address fetched from the StaderConfig contract as it's shown below :
function initialise(
bool _isValidatorWithdrawalVault,
uint8 _poolId,
uint256 _id,
address _staderConfig
) external {
if (isInitialized) {
revert AlreadyInitialized();
}
UtilLib.checkNonZeroAddress(_staderConfig);
isValidatorWithdrawalVault = _isValidatorWithdrawalVault;
isInitialized = true;
poolId = _poolId;
id = _id;
staderConfig = IStaderConfig(_staderConfig);
// @audit owner is set to be equal to staderConfig admin
owner = staderConfig.getAdmin();
}
And the getAdmin() functions directly returns the accountsMap[ADMIN] value :
function getAdmin() external view returns (address) {
return accountsMap[ADMIN];
}
So because the accountsMap[ADMIN] variable was not set in the initialize function of the StaderConfig contract, it will be equal to address(0) which will lead to the loss of the ownership of the VaultProxy contract when it is initialized (basically burning ownership).
Tools Used
Manual review
Recommended Mitigation Steps
Set the admin address into the accountsMap[ADMIN] variable When initializing the StaderConfig contract, the initialize function shold be modified with the following :
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderConfig.sol#L85-L103
Vulnerability details
Impact
When initializing the
StaderConfig
contract with theinitialize
function, the admin address is not set inaccountsMap[ADMIN]
variable, so thegetAdmin()
function will returnaddress(0)
. This will cause the loss of the ownership of theVaultProxy
contract as itsinitialize
function sets the owner to bestaderConfig.getAdmin()
which will beaddress(0)
.Proof of Concept
The issue occurs in the
initialize
function :File: StaderConfig.sol Line 85-103
As it can be seen from the code above, the functions grant the admin role to the
_admin
address but is does not updateaccountsMap[ADMIN]
variable which by default is equal toaddress(0)
.The
VaultProxy
contract is normally owned by the admin address fetched from theStaderConfig
contract as it's shown below :And the
getAdmin()
functions directly returns theaccountsMap[ADMIN]
value :So because the
accountsMap[ADMIN]
variable was not set in theinitialize
function of theStaderConfig
contract, it will be equal toaddress(0)
which will lead to the loss of the ownership of theVaultProxy
contract when it is initialized (basically burning ownership).Tools Used
Manual review
Recommended Mitigation Steps
Set the admin address into the
accountsMap[ADMIN]
variable When initializing theStaderConfig
contract, theinitialize
function shold be modified with the following :Assessed type
Error