Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Check for claimPeriodActive() in OperatorVCS.sol can be bypassed

0xziin

Summary

The check for claimPeriodActive() in OperatorVCS.sol can be bypassed.

https://github.com/Cyfrin/2024-09-stakelink/blob/main/contracts/linkStaking/OperatorVCS.sol#L294-L296

Vulnerability Details

queueVaultRemoval()::OperatorVCS.sol checks if the vault has the claiming period active (bool = true), if so, then it will call the removeVault() function to "remove the vault right away".

// if possible, remove vault right away
if (vaults[_index].claimPeriodActive()) {
removeVault(vaultsToRemove.length - 1);
}

But we can bypass the check for claimPeriodActive() in queueVaultRemoval()::OperatorVCS.sol by calling removeVault(_queueIndex) directly. No need to pass by queueVaultRemoval(), because the removeVault() is set as public :

function removeVault(uint256 _queueIndex) public {...}

https://github.com/Cyfrin/2024-09-stakelink/blob/main/contracts/linkStaking/OperatorVCS.sol#L304-L330

Impact

The claimPeriod restriction given by vaults[_index].claimPeriodActive() can be bypassed by calling directly the removeVault()function, making the queueVaultRemoval()function useless.
Then, a vault can be removed before the claimPeriod is active.

Tools Used

Github, Manual reading.

Recommendations

=> removeVault()::OperatorVCS.sol should be set as internal to avoid being called externally to bypass the claimPeriod check :

function removeVault(uint256 _queueIndex) internal {...}
Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.