search

code-423n4 / 2024-07-karak-findings

0 stars 0 forks source link

Missing access control in `Core::finalizeUpdateVaultStakeInDSS` allows unauthorized stake updates #90

Closed howlbot-integration[bot] closed 2 months ago

howlbot-integration[bot] commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-07-karak/blob/main/src/Core.sol#L143-L153

Vulnerability details

Impact

Core::finalizeUpdateVaultStakeInDSS doesn't check if the operator is registered with the DSS, which allows any address to call this function and finalize stake updates.

Operator could:

  1. Call Core::requestUpdateVaultStakeInDSS
  2. Unregister from the DSS by using Core::unregisterOperatorFromDSS()
  3. Finally call Core::finalizeUpdateStakeInDSS()

As suggested by Renascence's audit report on the Core contract, this vulnerability could be used to:

  1. Finalize stake updates for operators who are no longer registered with a DSS.
  2. Bypass the intended access control, potentially leading to unauthorized stake manipulations.
  3. Cause inconsistencies between the Core contract's state and the DSS's expectations, e.g. disallow DSS to slash the misbehaving operator.

Recommended Mitigation Steps

Add the checkIfOperatorIsRegInRegDSS function call to the Core::finalizeUpdateVaultStakeInDSS function, to ensure only the registered operator can call the function:

function finalizeUpdateVaultStakeInDSS(Operator.QueuedStakeUpdate memory queuedStake)
    external
    nonReentrant
    whenFunctionNotPaused(Constants.PAUSE_CORE_FINALIZE_STAKE_UPDATE)
{
+   _self().checkIfOperatorIsRegInRegDSS(queuedStake.operator, queuedStake.updateRequest.dss);
    _self().validateAndUpdateVaultStakeInDSS(queuedStake);
    emit FinishedStakeUpdate(queuedStake);
}

Assessed type

Access Control

c4-judge commented 2 months ago

MiloTruck marked the issue as unsatisfactory: Out of scope