search

code-423n4 / 2024-07-karak-validation

0 stars 0 forks source link

no checks to find whether any vault is pending for finailsed staking in a DAA while unregistering the DSS #353

Closed c4-bot-9 closed 2 months ago

c4-bot-9 commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/entities/Operator.sol#L181-L203

Vulnerability details

Impact

There are no checks to find whether any vault is pending for finailsed staking in a DAA while unregistering the DSS…. There are no checks in finalisedstake to find where the vault is staked in the dss.

Proof of Concept

https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/entities/Operator.sol#L181-L203

    function unregisterOperatorFromDSS(
        ....
    ) external {
        State storage operatorState = self.operatorState[operator];
        // Checks if all operator delegations are zero
        address[] memory vaults = getVaultsStakedToDSS(operatorState, dss);
        if (vaults.length != 0) revert AllVaultsNotUnstakedFromDSS();
        if (!isOperatorRegisteredToDSS(self, operator, dss)) revert OperatorNotValidatingForDSS();

        self.operatorState[operator].dssMap.remove(address(dss));
        HookLib.callHookIfInterfaceImplemented({
            ......
        });
    }

Even though vaults.length = 0 there can be vault pending for finalised stake in that DSS which is going to be unregistered unregistered. Here while unregisterig a dss from an operator there are no checks done to ensure that any vault is pending for finalised staking.

So when the validateAndUpdateVaultStakeInDSS is called , a new vault is added to the unregistered DSS mentioned in the queuedStakeUpdate

Tools Used

Manual.

Recommended Mitigation Steps

Check pendingStakeUpdates for the vault in that DSS.

Assessed type

Context