Manipulated Delegatecall Destinations in CommunityVCS.sol and OperatorVCS.sol
Summary
A critical vulnerability has been identified in the CommunityVCS.sol and OperatorVCS.sol also effecting VaultControllerStrategy.sol contract, specifically in the deposit and withdraw functions. These functions use delegatecall to execute logic from an external contract (vaultDepositController), which could potentially be exploited to execute arbitrary code.
Vulnerability Details
The destination could be manipulated through CommunityVCS.initialize(address,address,address,address,Fee[],uint256,uint256,uint128,uint128,address) (contracts/linkStaking/CommunityVCS.sol#41-78)
Manipulated call found: (success,None) = vaultDepositController.delegatecall(abi.encodeWithSelector(VaultDepositController.withdraw.selector,_amount,_data)) (contracts/linkStaking/base/VaultControllerStrategy.sol#455-457) in VaultControllerStrategy.withdraw(uint256,bytes) (contracts/linkStaking/base/VaultControllerStrategy.sol#452-460
The destination could be manipulated through OperatorVCS.initialize(address,address,address,address,Fee[],uint256,uint256,uint256,address) (contracts/linkStaking/OperatorVCS.sol#52-88)
Manipulated call found: (success,None) = vaultDepositController.delegatecall(abi.encodeWithSelector(VaultDepositController.withdraw.selector,_amount,_data)) (contracts/linkStaking/base/VaultControllerStrategy.sol#455-457) in VaultControllerStrategy.withdraw(uint256,bytes) (contracts/linkStaking/base/VaultControllerStrategy.sol#452-460)
Results from test on both OperatorVCS.sol and CommunityVCS.sol
yarn test test/linkStaking/operator-vcs.test.ts
OperatorVCS
Warning: Potentially unsafe deployment of contracts/linkStaking/OperatorVCS.sol:OperatorVCS
Warning: Potentially unsafe deployment of contracts/linkStaking/CommunityVCS.sol:CommunityVCS
(node:1061) PromiseRejectionHandledWarning: Promise rejection was handled asynchronously (rejection id: 130)
(Use node --trace-warnings ... to show where the warning was created)
✔ setRewardsReceiver should work correctly (51ms)
11 passing (10s)
yarn test test/linkStaking/community-vcs.test.ts
CommunityVCS
Warning: Potentially unsafe deployment of contracts/linkStaking/CommunityVCS.sol:CommunityVCS
5 passing (9s)
Impact
The impact of this vulnerability is severe. If exploited, an attacker could:
Execute arbitrary code within the context of the VaultControllerStrategy contract
Manipulate the contract's state, potentially leading to unauthorized token transfers
Bypass intended access controls
Potentially drain funds or take complete control of the contract's functionality
This vulnerability puts all funds managed by these contracts at risk.
Tools Used
Manual code review
slitherin . --pess
yarn test
Recommendations
If delegatecall must be used:
Implement a robust access control system for setting the vaultDepositController address, including multi-signature requirements and time-lock mechanisms.
Add thorough checks before and after the delegatecall to ensure state consistency.
Consider implementing a "static call" to validate the behavior of the target function before executing the delegatecall.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.