c4-judge
commented
2 months ago MiloTruck marked the issue as unsatisfactory: Out of scope
Closed howlbot-integration[bot] closed 2 months ago
c4-judge
commented
2 months ago MiloTruck marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/Core.sol#L146 https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/Core.sol#L130 https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/Core.sol#L113
Vulnerability details
Impact
If a DSS wants to slash a vault's operator, then this operator must be registered within the DSS. This is validated in the requestSlashing function using the
checkIfOperatorIsRegInRegDSScheck. However, is it possible for a vault to be staked in a DSS without the operator of the vault been registered in the DSS. Therefore, the DSS will not be able to slash this vault.Proof of Concept
When requesting a stake update the function
requestUpdateVaultStakeInDSSvalidates that the operator is registered in the DSS. However, the operator can request to update the stake when he is registered in the DSS, call the functionunregisterOperatorFromDSSwhich does not validate if the operator has pending requests and then will unregister the operator from the DSS. Finally, the operator can call the functionfinalizeUpdateVaultStakeInDSSwhich does not validates that the operator of the vault being finalized is registered in the DSS. It is important to note that not even the hook call withinfinalizeUpdateVaultStakeInDSSwill prevent this operation becauseignoreFailureis set to true.Tools Used
Manual Review
Recommended Mitigation Steps
Validate in
finalizeUpdateStakeInDSSthat the vault's operator which stake is being finalized is registered in the DSS.Assessed type
Other