Open c4-bot-8 opened 2 months ago
MiloTruck marked the issue as unsatisfactory: Out of scope
MiloTruck marked the issue as not a duplicate
MiloTruck removed the grade
MiloTruck changed the severity to QA (Quality Assurance)
Will confirm with the sponsor, but if the Core
contract doesn't call cancelUpdateStakeHook
anywhere, it means that cancelling updates is not supported and the hook is not needed.
MiloTruck marked the issue as grade-b
Yeah cancelUpdateStake
isn't implemented hence the hook's redundant.
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/main/src/Core.sol#L130 https://github.com/code-423n4/2024-07-karak/blob/main/src/Core.sol#L146 https://github.com/code-423n4/2024-07-karak/blob/main/src/interfaces/IDSS.sol#L14
Vulnerability details
Impact
There is no way to cancel a request to stake/unstake vaults to a DSS.
Proof of Concept
When an operator stakes/unstakes vaults to a DSS, the operator can request it using
Core.requestUpdateVaultStakeInDSS()
. After that, anyone can finish the request usingCore.finalizeUpdateVaultStakeInDSS()
.Core.requestUpdateVaultStakeInDSS()
callsOperator.requestUpdateVaultStakeInDSS()
and thenIDSS.requestUpdateStakeHook()
.Core.finalizeUpdateVaultStakeInDSS()
callsOperator.validateAndUpdateVaultStakeInDSS()
and thenIDSS.finishUpdateStakeHook()
.But there is additional functionality in IDSS. It's
IDSS.cancelUpdateStakeHook()
, and an operator can cancel his request using this method. But in the implementation of Core, there is no implementation to cancel the request to stake/unstake vaults to a DSS. As a result, request staking/unstaking have to be finialized without canceling.Tools Used
Manual Review
Recommended Mitigation Steps
It is recommended to add implementation about canceling the request to stake/unstake vaults to a DSS in the Core contract.
Assessed type
Other