Operators can finalize their vault staking to DSS even after unregistering from them due to missing registered check for operator on DSS

[howlbot-integration[bot]]

Lines of code

https://github.com/code-423n4/2024-07-karak/blob/main/src/Core.sol#L146

Vulnerability details

Impact

• The finalizeUpdateVaultStakeInDSS function allows the operators to still register to the DSS even after unregistering from them after placing the vault stake update request.
• This allows them to prevent from getting slashed from the operators and perform their tasks.

Proof of Concept

    function finalizeUpdateVaultStakeInDSS(Operator.QueuedStakeUpdate memory queuedStake)
        external
        nonReentrant
        whenFunctionNotPaused(Constants.PAUSE_CORE_FINALIZE_STAKE_UPDATE)
    {
        _self().validateAndUpdateVaultStakeInDSS(queuedStake);
        emit FinishedStakeUpdate(queuedStake);
    }

• Operator registers them to a DSS.
• Then deploys their vault and creates a request to register on DSS.
• Then unregisters from DSS, the operator will be able to perform this task as they have no vault staked to that DSS (only request is placed, but to the mapping corresponding to that DSS no vaults are added in the array).
• Then call the finalizeUpdateVaultStakeInDSS to finally update their stake to the DSS.
• Thus, operator have successfully put their stake to DSS, but are actually not registered.

Tools Used

Manual Review

Recommended Mitigation Steps

In the finalizeUpdateVaultStakeInDSS, add the following function check:

isOperatorRegisteredToDSS(queuedStake.operator, queuedStake.updateRequest.dss)

Assessed type

Context

[c4-judge]

MiloTruck marked the issue as unsatisfactory: Out of scope