Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

`OperatorVCS` Fails to Revoke Token Allowances for Removed Vaults, Leaving Protocol at Risk

krisrenzo

Summary

When an OperatorVault is removed from the OperatorVCS strategy, the protocol fails to revoke the token allowances previously granted to the removed vault. This leaves the protocol exposed, as the removed vault, now an untrusted actor, retains the ability to move tokens on behalf of the OperatorVCS contract. This oversight can potentially lead to unauthorized access to protocol funds, putting the system at risk of token loss.

Vulnerability Details

The OperatorVCS::removeVault function is responsible for removing vaults from the strategy. However, after removing a vault, it does not revoke the token allowance that was previously granted to the vault. Here's the relevant part of the removeVault function:

function removeVault(uint256 _queueIndex) public {
address vault = vaultsToRemove[_queueIndex];
vaultsToRemove[_queueIndex] = vaultsToRemove[vaultsToRemove.length - 1];
vaultsToRemove.pop();
_updateStrategyRewards();
(uint256 principalWithdrawn, uint256 rewardsWithdrawn) = IOperatorVault(vault).exitVault();
totalDeposits -= principalWithdrawn + rewardsWithdrawn;
totalPrincipalDeposits -= principalWithdrawn;
uint256 numVaults = vaults.length;
uint256 index;
for (uint256 i = 0; i < numVaults; ++i) {
if (address(vaults[i]) == vault) {
index = i;
break;
}
}
for (uint256 i = index; i < numVaults - 1; ++i) {
vaults[i] = vaults[i + 1];
}
vaults.pop();
token.safeTransfer(address(stakingPool), token.balanceOf(address(this)));
}

Once a vault is removed, it should no longer be treated as a trusted actor. However, the allowance granted to the removed vault to move tokens remains intact. Without revoking this privilege, the removed vault retains the ability to transfer tokens, which presents a significant security risk.

In the worst-case scenario, if the vault is malicious or compromised, it could exploit this oversight to transfer funds from the OperatorVCS contract without authorization.

Impact

The protocol is at risk of token loss due to untrusted vaults retaining their token allowances even after being removed from the system. This oversight could lead to unauthorized transfers, resulting in financial losses for the protocol and its users.

Tools Used

Manual

Recommendations

Revoke the token allowance for removed vaults immediately after they are removed from the system. This can be achieved by resetting the allowance to zero in the removeVault function to ensure that removed vaults no longer have access to the protocol's tokens.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

krisrenzo Submitter
10 months ago
inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.