Summary

The VaultControllerStrategy.sol contract utilizes delegatecall to interact within the VaultDepositController contract without verifying the existence or validity of the implementation contract. This omission can lead to security vulnerabilities, allowing malicious actors to exploit the proxy mechanism by setting an incorrect or self-destructed implementation contract. As a result, critical functions may return success without executing the intended logic, leading to potential loss of funds.

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/linkStaking/base/VaultControllerStrategy.sol#L455

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/linkStaking/base/VaultControllerStrategy.sol#L440

Vulnerability Details

In the VaultControllerStrategy contract, the deposit and withdraw functions perform delegatecall operations to the vaultDepositController contract. However, there is no verification to ensure that the vaultDepositController address points to a valid and existing contract. In Ethereum's proxy pattern, low-level calls such as delegatecall do not inherently verify the existence of the target contract. This design means that if the implementation contract is incorrectly set, non-existent, or has been self-destructed, the **delegatecall **will still return a success status without executing any actual code.

Impact

An attacker, herein referred to as Eve, can exploit this vulnerability in the following manner:

Eve gains the authority to upgrade the `vaultDepositController` to an incorrect or malicious contract address.

Users invoke deposit or withdraw functions, which internally use delegatecall to interact with the compromised vaultDepositController.

The `delegatecall` operations return success, misleading users into believing their transactions have been executed successfully.

Despite the success responses, no state changes or business logic are performed, rendering the contract's core functionalities inoperative.

Users may experience financial losses due to the inability to access or manage their funds, leading to diminished trust in the platform.

Exploit Scenario

Eve identifies that the VaultControllerStrategy lacks checks on the vaultDepositController during delegatecall operations.

Eve exploits privileged access to upgrade the vaultDepositController to point to a non-functional or malicious contract.

Users attempt to deposit or withdraw funds. The delegatecall operations return success without executing any underlying logic.

Believing their transactions are successful, users may continue interacting with the contract, unaware that their funds are inaccessible or mismanaged.

The inability to perform legitimate operations can lead to significant financial losses for users and irreparable damage to the platform's reputatio

Tools Used

manual code review

Recommendations

Before performing any delegatecall, verify that the vaultDepositController address points to a valid and deployed contract by checking its code size while ensuring that only highly trusted and multi-signed entities can perform upgrades to the `vaultDepositController`.

Contract upgrade anti-patterns | Trail of Bits Blog