Operators can stake a vault more than once to a single DSS

[howlbot-integration[bot]]

Lines of code

https://github.com/code-423n4/2024-07-karak/blob/ab18e1f6c03e118158369527baa2487b2b4616b1/src/Core.sol#L130

Vulnerability details

Impact

Operators can request and finalize staking a vault more than once to a single DSS which will also allow spending unnecessary gas fee.

Proof of Concept

Add the below test function in /test/core/operatorDSS.t.sol and then run the test with this forge command. forge test --mt test_my_request_stake_update_request

function test_my_request_stake_update_request(uint256 time) public {
        deposit_into_vaults();
        vm.assume(time > Constants.MIN_STAKE_UPDATE_DELAY);
        vm.assume(time < type(uint256).max / 10);

        address requestedVault = address(vaults[0]);

        Operator.StakeUpdateRequest memory stakeUpdate =
            Operator.StakeUpdateRequest({vault: requestedVault, dss: dss, toStake: true});

        vm.startPrank(operator);
        Operator.QueuedStakeUpdate memory queuedStakeUpdate1 = core.requestUpdateVaultStakeInDSS(stakeUpdate);

        vm.warp(block.timestamp + time);
        core.finalizeUpdateVaultStakeInDSS(queuedStakeUpdate1);

        vm.startPrank(operator);
        Operator.QueuedStakeUpdate memory queuedStakeUpdate2 = core.requestUpdateVaultStakeInDSS(stakeUpdate);

        vm.warp(block.timestamp + time + time);
        core.finalizeUpdateVaultStakeInDSS(queuedStakeUpdate2);
}

Tools Used

Manual review

Recommended Mitigation Steps

Add a check for when the vault was already staked to a DSS by the operator.

Assessed type

Invalid Validation

[c4-judge]

MiloTruck marked the issue as unsatisfactory: Out of scope

[c4-judge]

MiloTruck marked the issue as not a duplicate

[c4-judge]

MiloTruck removed the grade

[c4-judge]

MiloTruck marked the issue as duplicate of #61

[c4-judge]

MiloTruck changed the severity to QA (Quality Assurance)

[c4-judge]

MiloTruck marked the issue as grade-b