There are no checks to find whether any vault is pending for finailsed staking in a DAA while unregistering the DSS…. There are no checks in finalisedstake to find where the vault is staked in the dss.
function unregisterOperatorFromDSS(
....
) external {
State storage operatorState = self.operatorState[operator];
// Checks if all operator delegations are zero
address[] memory vaults = getVaultsStakedToDSS(operatorState, dss);
if (vaults.length != 0) revert AllVaultsNotUnstakedFromDSS();
if (!isOperatorRegisteredToDSS(self, operator, dss)) revert OperatorNotValidatingForDSS();
self.operatorState[operator].dssMap.remove(address(dss));
HookLib.callHookIfInterfaceImplemented({
......
});
}
Even though vaults.length = 0 there can be vault pending for finalised stake in that DSS which is going to be unregistered unregistered.
Here while unregisterig a dss from an operator there are no checks done to ensure that any vault is pending for finalised staking.
So when the validateAndUpdateVaultStakeInDSS is called , a new vault is added to the unregistered DSS mentioned in the queuedStakeUpdate
Tools Used
Manual.
Recommended Mitigation Steps
Check pendingStakeUpdates for the vault in that DSS.
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/entities/Operator.sol#L181-L203
Vulnerability details
Impact
There are no checks to find whether any vault is pending for finailsed staking in a DAA while unregistering the DSS…. There are no checks in finalisedstake to find where the vault is staked in the dss.
Proof of Concept
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/entities/Operator.sol#L181-L203
Even though vaults.length = 0 there can be vault pending for finalised stake in that DSS which is going to be unregistered unregistered. Here while unregisterig a dss from an operator there are no checks done to ensure that any vault is pending for finalised staking.
So when the
validateAndUpdateVaultStakeInDSS
is called , a new vault is added to the unregistered DSS mentioned in thequeuedStakeUpdate
Tools Used
Manual.
Recommended Mitigation Steps
Check pendingStakeUpdates for the vault in that DSS.
Assessed type
Context