Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Claim period check in `queueVaultRemoval` can be bypassed by directly calling `removeVault`

bladesec

Summary

In OperatorVCS contract, a vault can be removed through 2 steps, queueVaultRemoval and removeVault.
In queueVaultRemoval function, if the vault is in claim period, it immediately removes the vault by calling removeVault.

However, removeVault is open to public and does not check additional check, so the vault can be removed even though it's not in claim period.

Vulnerability Details

Here's a code snippet of queueVaultRemoval function:

function queueVaultRemoval(uint256 _index) external {
address vault = address(vaults[_index]);
if (!IVault(vault).isRemoved()) revert OperatorNotRemoved();
for (uint256 i = 0; i < vaultsToRemove.length; ++i) {
if (vaultsToRemove[i] == vault) revert VaultRemovalAlreadyQueued();
}
vaultsToRemove.push(address(vaults[_index]));
// update group accounting if vault is part of a group
if (_index < globalVaultState.depositIndex) {
...
// if possiible, remove vault right away
> if (vaults[_index].claimPeriodActive()) {
removeVault(vaultsToRemove.length - 1);
}
}
}

As shown above, removeVault is only called when the vault is in claim period.
However, removeVault function can be called by anyone and anytime to remove a vault queued.

Impact

The vault can be removed even though it's not in claim period.

Tools Used

Manual Review

Recommendations

removeVault function should have additional check for claim period so that the vault can only be removed during claim period.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.