Open howlbot-integration[bot] opened 2 months ago
MiloTruck marked the issue as unsatisfactory: Out of scope
MiloTruck removed the grade
MiloTruck marked the issue as not a duplicate
MiloTruck marked the issue as duplicate of #21
MiloTruck changed the severity to QA (Quality Assurance)
MiloTruck marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/main/src/entities/Operator.sol#L128
Vulnerability details
Impact
In
Operator::validateAndUpdateVaultStakeInDSS()
ignoreFailure
is set to true which means the DSS cannot cancel a started update even if the vault doesn't meet its conditions anymore.Proof of Concept
Let's look at the following example:
Core::requestUpdateVaultStakeInDSS()
to stake that vault. The DSS accepts it (doesn't revert).totalAssets()
of the vault are <= 100 000e18 which no longer meets the second DSS requirement.Core::finalizeUpdateVaultStakeInDSS()
and even if the DSS reverts, it will not affect the transcation and the state will be updated, so now that vault is staked in both DSSs without the consent of the second one.Notice that
Core::requestUpdateVaultStakeInDSS
has anignoreFailure: !requestStakeUpdate.toStake
which is correct, however when finalizing, the ignoreFailure is set totrue
instead of!toStake
. This prevents the DSS from canceling the update if the vault changes somehow in the meantime.Tools Used
Manual Review
Recommended Mitigation Steps
In
Operator::validateAndUpdateVaultStakeInDSS()
setignoreFailure
to!queuedStakeUpdate.updateRequest.toStake
Assessed type
Invalid Validation