If a DSS wants to slash a vault's operator, then this operator must be registered within the DSS. This is validated in the requestSlashing function using the checkIfOperatorIsRegInRegDSS check. However, is it possible for a vault to be staked in a DSS without the operator of the vault been registered in the DSS. Therefore, the DSS will not be able to slash this vault.
Proof of Concept
When requesting a stake update the function requestUpdateVaultStakeInDSSvalidates that the operator is registered in the DSS. However, the operator can request to update the stake when he is registered in the DSS, call the function unregisterOperatorFromDSS which does not validate if the operator has pending requests and then will unregister the operator from the DSS. Finally, the operator can call the function finalizeUpdateVaultStakeInDSS which does not validates that the operator of the vault being finalized is registered in the DSS. It is important to note that not even the hook call within finalizeUpdateVaultStakeInDSS will prevent this operation because ignoreFailure is set to true.
Tools Used
Manual Review
Recommended Mitigation Steps
Validate in finalizeUpdateStakeInDSS that the vault's operator which stake is being finalized is registered in the DSS.
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/Core.sol#L146 https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/Core.sol#L130 https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/Core.sol#L113
Vulnerability details
Impact
If a DSS wants to slash a vault's operator, then this operator must be registered within the DSS. This is validated in the requestSlashing function using the
checkIfOperatorIsRegInRegDSS
check. However, is it possible for a vault to be staked in a DSS without the operator of the vault been registered in the DSS. Therefore, the DSS will not be able to slash this vault.Proof of Concept
When requesting a stake update the function
requestUpdateVaultStakeInDSS
validates that the operator is registered in the DSS. However, the operator can request to update the stake when he is registered in the DSS, call the functionunregisterOperatorFromDSS
which does not validate if the operator has pending requests and then will unregister the operator from the DSS. Finally, the operator can call the functionfinalizeUpdateVaultStakeInDSS
which does not validates that the operator of the vault being finalized is registered in the DSS. It is important to note that not even the hook call withinfinalizeUpdateVaultStakeInDSS
will prevent this operation becauseignoreFailure
is set to true.Tools Used
Manual Review
Recommended Mitigation Steps
Validate in
finalizeUpdateStakeInDSS
that the vault's operator which stake is being finalized is registered in the DSS.Assessed type
Other