J4de - `LockstakeEngine` operators can call `hope` infinitely to prevent themselves from being `nope`

[sherlock-admin4]

J4de

Medium

LockstakeEngine operators can call hope infinitely to prevent themselves from being nope

Summary

LockstakeEngine operators can call hope infinitely to prevent themselves from being nope.

Vulnerability Detail

The LockstakeEngine.hope function is used to grant operator permissions to a certain address. It allows the position owner or operator to call it. And it can grant unlimited addresses as operators.

Operators can use this function to authorize an unlimited number of addresses, making it impossible for users to deauthorize them. In more serious cases, users may mistakenly believe that they have revoked authorization.

Impact

Users cannot delete operator permissions. And users may mistakenly think that they have deleted operator permissions and not transfer positions.

Code Snippet

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/lockstake/src/LockstakeEngine.sol#L248-#L251

Tool used

Manual Review

Recommendation

It is recommended that only the owner of the urn can call hope.

[telome]

Duplication of informational 3.3.9 issue in https://github.com/makerdao/lockstake/blob/sherlock-contest/audit/20240626-cantina-report-maker-LSE.pdf. A malicious operator can already rug the urn, so it doesn't need to hope other addresses. Urn owners should only hope parties they trust.