[H-01] Unauthorized removal of vaults in OperatorVCS

Severity

High Risk

Relevant Github Links

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/linkStaking/OperatorVCS.sol#L304

Summary

removeVault function in OperatorVCS is publicly accessible, allowing attackers to remove vaults and transfer funds, causing operators to lose rewards.

Vulnerability Details

The removeVault function in OperatorVCS has public visibility, allowing anyone to call it. This means an attacker can remove any vaults in the OperatorVCS and transfer the funds back to the staking pool.

Operators may lose rewards as a result. Consider the following scenario:

1. An attacker calls removeVault

2. LINK tokens are transferred from the vaults to the StakingPool

3. The WithdrawalPool's performUpkeep calls executeQueuedWithdrawals in PriorityPool, which then withdraws tokens from the StakingPool to the PriorityPool

At this point, the operator can call withdraw in the PriorityPool to retrieve their funds, but they will have lost the rewards that should have been accrued.

Impact

High risk as operators lose rewards in the process. It could lead to unintended operations and compromise the overall integrity of the protocol.

Tools Used

Manual Review

Recommendations

Add the onlyOwner modifier to the removeVault function to ensure that only the owner can remove operator vaults, similar to the addVault function.