c4-bot-8 commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-07-karak/blob/main/src/Core.sol#L130 https://github.com/code-423n4/2024-07-karak/blob/main/src/Core.sol#L146 https://github.com/code-423n4/2024-07-karak/blob/main/src/interfaces/IDSS.sol#L14

Vulnerability details

Impact

There is no way to cancel a request to stake/unstake vaults to a DSS.

Proof of Concept

When an operator stakes/unstakes vaults to a DSS, the operator can request it using Core.requestUpdateVaultStakeInDSS(). After that, anyone can finish the request using Core.finalizeUpdateVaultStakeInDSS().

Core.requestUpdateVaultStakeInDSS() calls Operator.requestUpdateVaultStakeInDSS() and then IDSS.requestUpdateStakeHook(). Core.finalizeUpdateVaultStakeInDSS() calls Operator.validateAndUpdateVaultStakeInDSS() and then IDSS.finishUpdateStakeHook().

But there is additional functionality in IDSS. It's IDSS.cancelUpdateStakeHook(), and an operator can cancel his request using this method. But in the implementation of Core, there is no implementation to cancel the request to stake/unstake vaults to a DSS. As a result, request staking/unstaking have to be finialized without canceling.

Tools Used

Manual Review

Recommended Mitigation Steps

It is recommended to add implementation about canceling the request to stake/unstake vaults to a DSS in the Core contract.