Liquid Staking

Summary

The removeOperators function in the provided Solidity code fails to send tokens to the operator address before removing them from the staking contract, thereby leading to loss of staked tokens.

Vulnerability Details

• The removeOperator() can only be called by the owner of the operator staking pool and is used to remove existing operators. The function however does not transfer the token shares to the operator’s address before removing them from the staking contract. This can result in the loss of tokens that were staked by the operator. The function also fails to queue withdrawal for the operator address before remove them from the staking contract.

• removeOperators below makes call to _withdraw() to withdraw tokens for operator before the operator is removed from the staking pool. The _withdraw() however only adjust pool state and fails to send shares to the operator before removing them

  function removeOperators(address[] calldata _operators) external onlyOwner {

  uint256 numOperators = operators.length;//operators.length

  ​

  for (uint256 i = 0; i < _operators.length; ++i) {

  address operator = _operators[i];//each operator

  if (!isOperator(operator)) revert OperatorNotFound();//reverts if not operator

  ​

  uint256 staked = getOperatorStaked(operator);// gets total amoount staked

  if (staked != 0) {

  _withdraw(operator, staked);

  }

  ​

  operatorMap[operator] = false;

  for (uint256 j = 0; j < numOperators; ++j) {

  if (operators[j] == operator) {

  operators[j] = operators[numOperators - 1];

  operators.pop();

  --numOperators;

  }

  }

  }

  }

here is the withdraw() function

Impact

High as operators lose funds

Tools Used

Manual review

Recommendations

Ensure that the appropriate token shares are transferred to the operator’s address before removing them from the staking contract.