Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Vault is not removed from vaultMapping allowing removed vault to execute withdrawOperatorRewards

baz1ka

Summary

OperatorVCS manage allowed vaults using vaultMapping variable, which "check vault membership in this strategy". Because of mistake, vault can not be removed from this mapping still allowing vault to execute withdrawOperatorRewards().

Vulnerability Details

removeVault() removes a vault that has been queued for removal. This function removes vault both from removal request array and from vaults array, but is not removed from vaultMapping. This mapping is used in withdrawOperatorRewards() to check whether msg.sender is vault. If not, then transaction reverts with SenderNotAuthorized error. Because error in removeVault() vault is not removed from vaultMapping and thus allowing removed vault still claim rewards .

Recommendations

Remove vault from vaultMapping in removeVault():

diff --git a/contracts/linkStaking/OperatorVCS.sol b/contracts/linkStaking/OperatorVCS.sol
index 56aa2a0..14fc6c7 100644
--- a/contracts/linkStaking/OperatorVCS.sol
+++ b/contracts/linkStaking/OperatorVCS.sol
@@ -325,6 +325,7 @@ contract OperatorVCS is VaultControllerStrategy {
vaults[i] = vaults[i + 1];
}
vaults.pop();
+ vaultMapping[vault] = false;
token.safeTransfer(address(stakingPool), token.balanceOf(address(this)));
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

`removeVault` does not update `vaultMapping`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!