Closed howlbot-integration[bot] closed 2 months ago
Issue previously found here: https://github.com/Renascence-Labs/2024-05-karak-restaking/issues/18
@devdks25 Sponsors can only use these labels: sponsor confirmed, sponsor disputed, sponsor acknowledged.
MiloTruck marked the issue as unsatisfactory: Out of scope
This is unfortunately out-of-scope as it is the same as M-1 from Renascence's report.
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/entities/Operator.sol#L20 https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/entities/Operator.sol#L21 https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/Core.sol#L130-L141 https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/Core.sol#L113-L124 https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/Core.sol#L146-L153
Vulnerability details
Impact
A lack of verification on the
Core::finalizeUpdateVaultStakeInDSS()
function permit an operator to abuse it and can make a vault considered as staked for the DSS even though the operator is not registered with this DSS. Potentially let the DSS send rewards on a vault for which the operator is not registered with this DSS.Proof of Concept
We are interested in two different states in the
Core
contract:The dssMap by operator represent the dss registered for the operator. And the vaultStakedInDssMap which represent the vault staked in DSS.
Look at this scenario:
Core::requestUpdateVaultStakeInDSS()
to create a request to stake one of its vaults in the DSS.Core::unregisterOperatorFromDSS()
and directly the operator is unregistered from the DSS.Core::finalizeUpdateVaultStakeInDSS()
and because the function not verify if the operator is already registered with the DSS, the call goes through and the state become skew.This offset in this two state can be problematic on the DSS side, the
Core::finalizeUpdateVaultStakeInDSS()
function call a hook on the DDS if it implement one for his internal logic and state update. It can create a skewstate for the DSS and the operator can take advantage on it, e.g the vault can be considered as staked on the DSS and therefore receive reward from the DSS, but is not officially considered like this in theCore
contract because the operator is not registered to the DSS.Poc
You can add this PoC to the
./test/nativeRestaking/nativeVault.t.sol
:Now execute this command:
forge test --mt test_NotValidState -vvv
Tools Used
Manual Review
Recommended Mitigation Steps
You can add this verification
checkIfOperatorIsRegInRegDSS()
on theCore::finalizeUpdateVaultStakeInDSS()
function to verify if the operator is not unregistered from the dss.Assessed type
Invalid Validation