Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Lack of Access Control in `OperatorVCS::queueVaultRemoval` and `OperatorVCS::removeVault` Allows Attacker to Remove Any Vault, Disrupting Protocol Operations

krisrenzo

Summary

The OperatorVCS::queueVaultRemoval function lacks proper access control, allowing anyone to queue and remove vaults from the protocol. This is a highly sensitive function that affects the core operations of the protocol, including its ability to manage staking and rewards. An attacker can exploit this vulnerability by arbitrarily removing vaults, obstructing the protocol's normal functioning and disrupting its services for users.

Vulnerability Details

The OperatorVCS::queueVaultRemoval function allows any external caller to queue a vault for removal without any restrictions or access controls:

function queueVaultRemoval(uint256 _index) external {

address vault = address(vaults[_index]);

if (!IVault(vault).isRemoved()) revert OperatorNotRemoved();

for (uint256 i = 0; i < vaultsToRemove.length; ++i) {

if (vaultsToRemove[i] == vault) revert VaultRemovalAlreadyQueued();

}

vaultsToRemove.push(address(vaults[_index]));

// update group accounting if vault is part of a group

if (_index < globalVaultState.depositIndex) {

uint256 group = _index % globalVaultState.numVaultGroups;

uint256[] memory groups = new uint256[]();

groups[0] = group;

fundFlowController.updateOperatorVaultGroupAccounting(groups);

// if possible, remove vault right away

if (vaults[_index].claimPeriodActive()) {

removeVault(vaultsToRemove.length - 1);

}

The function performs sensitive operations, such as queuing vaults for removal and updating group accounting. If an attacker calls this function, they can arbitrarily queue vaults for removal and potentially invoke the removeVault function. This lack of access control opens up the possibility for malicious actors to repeatedly remove vaults, severely obstructing the protocol's operations.

Without access control, the protocol is vulnerable to an attack where vaults are continually removed, preventing StakeLink from fulfilling its core service—managing staking and providing rewards to users.

Impact

An attacker can disrupt the core operations of StakeLink by removing vaults from the system, effectively rendering the protocol unable to provide its services to users. This would obstruct staking, disrupt reward distributions, and cause significant financial and operational damage to the protocol and its users.

Tools Used

Manual

Recommendations

Implement strict access control to ensure that only authorized entities, such as protocol administrators, can call queueVaultRemoval and removeVault.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.