Closed howlbot-integration[bot] closed 2 months ago
MiloTruck marked the issue as unsatisfactory: Out of scope
MiloTruck marked the issue as not a duplicate
MiloTruck removed the grade
MiloTruck marked the issue as unsatisfactory: Insufficient proof
The warden has not sufficiently demonstrated how it is possible for unregisterOperatorFromDSS()
to be called while a vault has a pending update.
Even if it is possible. there is no impact on the protocol or its users described here.
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/entities/Operator.sol#L181-L203
Vulnerability details
Impact
There are no checks to find whether any vault is pending for finailsed staking in a DAA while unregistering the DSS…. There are no checks in finalisedstake to find where the vault is staked in the dss.
Proof of Concept
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/entities/Operator.sol#L181-L203
Even though vaults.length = 0 there can be vault pending for finalised stake in that DSS which is going to be unregistered unregistered. Here while unregisterig a dss from an operator there are no checks done to ensure that any vault is pending for finalised staking.
So when the
validateAndUpdateVaultStakeInDSS
is called , a new vault is added to the unregistered DSS mentioned in thequeuedStakeUpdate
Tools Used
Manual.
Recommended Mitigation Steps
Check pendingStakeUpdates for the vault in that DSS.
Assessed type
Context