search

code-423n4 / 2024-07-karak-findings

0 stars 0 forks source link

no checks to find whether any vault is pending for finailsed staking in a DAA while unregistering the DSS #60

Closed howlbot-integration[bot] closed 2 months ago

howlbot-integration[bot] commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/entities/Operator.sol#L181-L203

Vulnerability details

Impact

There are no checks to find whether any vault is pending for finailsed staking in a DAA while unregistering the DSS…. There are no checks in finalisedstake to find where the vault is staked in the dss.

Proof of Concept

https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/entities/Operator.sol#L181-L203

    function unregisterOperatorFromDSS(
        ....
    ) external {
        State storage operatorState = self.operatorState[operator];
        // Checks if all operator delegations are zero
        address[] memory vaults = getVaultsStakedToDSS(operatorState, dss);
        if (vaults.length != 0) revert AllVaultsNotUnstakedFromDSS();
        if (!isOperatorRegisteredToDSS(self, operator, dss)) revert OperatorNotValidatingForDSS();

        self.operatorState[operator].dssMap.remove(address(dss));
        HookLib.callHookIfInterfaceImplemented({
            ......
        });
    }

Even though vaults.length = 0 there can be vault pending for finalised stake in that DSS which is going to be unregistered unregistered. Here while unregisterig a dss from an operator there are no checks done to ensure that any vault is pending for finalised staking.

So when the validateAndUpdateVaultStakeInDSS is called , a new vault is added to the unregistered DSS mentioned in the queuedStakeUpdate

Tools Used

Manual.

Recommended Mitigation Steps

Check pendingStakeUpdates for the vault in that DSS.

Assessed type

Context

c4-judge commented 2 months ago

MiloTruck marked the issue as unsatisfactory: Out of scope

c4-judge commented 2 months ago

MiloTruck marked the issue as not a duplicate

c4-judge commented 2 months ago

MiloTruck removed the grade

c4-judge commented 2 months ago

MiloTruck marked the issue as unsatisfactory: Insufficient proof

MiloTruck commented 2 months ago

The warden has not sufficiently demonstrated how it is possible for unregisterOperatorFromDSS() to be called while a vault has a pending update.

Even if it is possible. there is no impact on the protocol or its users described here.