Lines of code

https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/Core.sol#L146

Vulnerability details

Impact

This vulnerability was not resolved in the previous audit, despite being marked as fixed. This is M1 from audit/core/Renascence - Karak Core Audit Report.pdf .
Unregistered Operator can call finalizeUpdateVaultStakeInDSS from Core.sol which must only Callable for the registered Operator.

Proof of Concept

This vulnerability was not resolved in the previous audit, despite being marked as fixed. This is M1 from audit/core/Renascence - Karak Core Audit Report.pdf

Tools Used

Manual Review

Recommended Mitigation Steps

If every DSS ensures its own access control that the operator calling Core.finalizeUpdateVaultStakeInDSS() is registered with the DSS, then Core.finalizeUpdateVaultStakeInDSS() should set canFail = false to avoid recording an incorrect state in Core.sol. In the case where DSSs rely on Core.sol to perform an access control check on the operator,Core::finalizeUpdateVaultStakeInDSS() must have an onlyOperatorRegisteredToDSS modifier.

 function finalizeUpdateVaultStakeInDSS(Operator.QueuedStakeUpdate memory queuedStake)
        external
        nonReentrant
        whenFunctionNotPaused(Constants.PAUSE_CORE_FINALIZE_STAKE_UPDATE)       
{
+        isOperatorRegisteredToDSS(queuedStake.operator, queuedStake.updateRequest.dss);

Assessed type

Access Control

code-423n4 / 2024-07-karak-validation

The operator can still access `Core::finalizeUpdateVaultStakeInDSS()` even after unregistering from the DSS. #324

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type