Liquid Staking

Summary

In OperatorVCS, vaults added to the strategy are granted membership by setting their vaultMapping value to true. This membership enables vaults to access various functions, including the ability to withdraw rewards. However, when a vault is removed from the strategy, the protocol fails to revoke its membership, leaving the vaultMapping value unchanged. This oversight allows removed vaults—now untrusted actors—to retain privileges, such as the ability to withdraw rewards from the system, putting the protocol's assets at risk.

Vulnerability Details

When vaults are added to the OperatorVCS strategy, they are granted membership by setting their vaultMapping to true:

The problem arises when these vaults are removed from the strategy. The protocol fails to revoke the vault's membership by not resetting the vaultMapping to false, which leaves the vaults with privileged access even after they are no longer part of the system.

The most critical function affected by this is OperatorVCS::withdrawOperatorRewards, which allows any vault in the system to withdraw lsdToken rewards. Since the vault's membership remains intact even after being removed, it can still access this function and withdraw rewards, leading to potential theft of assets from the contract.

Impact

The failure to revoke vault membership after removal allows unauthorized access to the OperatorVCS::withdrawOperatorRewards function, enabling the removed vault to steal assets from the protocol. This oversight exposes the protocol to significant financial risks, as untrusted actors retain privileged access after their removal.

Tools Used

Manual

Recommendations

Immediately revoke vault membership by setting vaultMapping to false when a vault is removed from the strategy. This will ensure that removed vaults no longer have access to privileged functions such as withdrawOperatorRewards, preventing potential unauthorized asset withdrawals.