Summary

A vault's rewards receiver is able to trigger withdrawOperatorRewards() from the OperatorVCS.sol contract even though the vault might be removed from the strategy. This is possible due to the missing update of vaultMappingthat tracks the status of the vaults

Vulnerability Details

In the contract OperatorVCS.solthere is a function withdrawOperatorRewards()that is called by vaults in order to withdraw rewards from the operator. This function cheks if the msg.sender is a vault that is contained in the mapping vaultMapping and reverts if the sender is not authorized.

The problem here is that the function can still be called and executed even though the vault might be removed (by calling queueVaultRemoval() and then removeVault()) since the mapping is never updated and the authorization check will always succeed.

Impact

It is a low impact because as a part of the removal process, all vault's rewards will be withdrawn and there will not be possibility to deposit and consider this vault for rewards. However a malicious reward receiver from the removed vault is still able to call the function indefinitely.

Tools Used

Manual Review, VS Code

Recommendations

When removing vault, make sure to update vaultMapping in the removeVault() function:

vaultMapping[vault] = false;