Core::finalizeUpdateVaultStakeInDSS doesn't check if the operator is registered with the DSS, which allows any address to call this function and finalize stake updates.
Operator could:
Call Core::requestUpdateVaultStakeInDSS
Unregister from the DSS by using Core::unregisterOperatorFromDSS()
Finally call Core::finalizeUpdateStakeInDSS()
As suggested by Renascence's audit report on the Core contract, this vulnerability could be used to:
Finalize stake updates for operators who are no longer registered with a DSS.
Bypass the intended access control, potentially leading to unauthorized stake manipulations.
Cause inconsistencies between the Core contract's state and the DSS's expectations, e.g. disallow DSS to slash the misbehaving operator.
Recommended Mitigation Steps
Add the checkIfOperatorIsRegInRegDSS function call to the Core::finalizeUpdateVaultStakeInDSS function, to ensure only the registered operator can call the function:
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/main/src/Core.sol#L143-L153
Vulnerability details
Impact
Core::finalizeUpdateVaultStakeInDSS
doesn't check if the operator is registered with the DSS, which allows any address to call this function and finalize stake updates.Operator could:
Core::requestUpdateVaultStakeInDSS
Core::unregisterOperatorFromDSS()
Core::finalizeUpdateStakeInDSS()
As suggested by Renascence's audit report on the Core contract, this vulnerability could be used to:
Recommended Mitigation Steps
Add the
checkIfOperatorIsRegInRegDSS
function call to theCore::finalizeUpdateVaultStakeInDSS
function, to ensure only the registered operator can call the function:Assessed type
Access Control