Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DSS cannot force jailed operator to unallocate from such DSS #20

Closed
c4-bot-3 opened this issue Jul 30, 2024 · 2 comments
Closed

DSS cannot force jailed operator to unallocate from such DSS #20

c4-bot-3 opened this issue Jul 30, 2024 · 2 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working insufficient quality report This report is not of sufficient quality 🤖_primary AI based primary recommendation 🤖_128_group AI based duplicate group recommendation unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-bot-3
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-07-karak/blob/53eb78ebda718d752023db4faff4ab1567327db4/src/Core.sol#L130-L141
https://github.com/code-423n4/2024-07-karak/blob/53eb78ebda718d752023db4faff4ab1567327db4/src/Core.sol#L113-L124

Vulnerability details

Impact

According to https://github.com/code-423n4/2024-07-karak?tab=readme-ov-file#operators, Operators can be jailed by the DSS and one of the effects of jailing is forcing them to unallocate from the DSS. However, the following Core.requestUpdateVaultStakeInDSS and Core.unregisterOperatorFromDSS functions all require msg.sender to be the operator so only the operator can choose to unallocate from the DSS; although the operator is jailed by the DSS, the DSS is unable to call the Core.requestUpdateVaultStakeInDSS function for requesting the unstaking of such operator's vault from the DSS or the Core.unregisterOperatorFromDSS function for unregistering such operator from the DSS. Thus, the DSS fails to force the jailed operator to unallocate from the DSS and cannot prevent all further interactions caused by such operator.

https://github.com/code-423n4/2024-07-karak/blob/53eb78ebda718d752023db4faff4ab1567327db4/src/Core.sol#L130-L141

    function requestUpdateVaultStakeInDSS(Operator.StakeUpdateRequest memory vaultStakeUpdateRequest)
        external
        nonReentrant
        whenFunctionNotPaused(Constants.PAUSE_CORE_REQUEST_STAKE_UPDATE)
        returns (Operator.QueuedStakeUpdate memory updatedStake)
    {
        address operator = msg.sender;
        CoreLib.Storage storage self = _self();
        self.checkIfOperatorIsRegInRegDSS(operator, vaultStakeUpdateRequest.dss);
        updatedStake = self.requestUpdateVaultStakeInDSS(vaultStakeUpdateRequest, self.nonce++, operator);
        emit RequestedStakeUpdate(updatedStake);
    }

https://github.com/code-423n4/2024-07-karak/blob/53eb78ebda718d752023db4faff4ab1567327db4/src/Core.sol#L113-L124

    function unregisterOperatorFromDSS(IDSS dss, bytes memory unregistrationHookData)
        external
        nonReentrant
        whenFunctionNotPaused(Constants.PAUSE_CORE_UNREGISTER_FROM_DSS)
    {
        address operator = msg.sender;
        CoreLib.Storage storage self = _self();
        self.checkIfOperatorIsRegInRegDSS(operator, dss);
        self.unregisterOperatorFromDSS(dss, operator, unregistrationHookData);

        emit UnregisteredOperatorToDSS(operator, address(dss));
    }

Proof of Concept

The following steps can occur for the described scenario.

  1. Operator A is registered with DSS A and stakes one of its vaults to DSS A.
  2. DSS A detects that Operator A's staked vault is too overleveraged so it jails Operator A.
  3. DSS A wants to force Operator A to unallocate from DSS A.
  4. Because the Core.requestUpdateVaultStakeInDSS function cannot be called by DSS A for unstaking Operator A's vault from DSS A and the Core.unregisterOperatorFromDSS function cannot be called by DSS A for unregistering Operator A from DSS A, DSS A fails to force Operator A to unallocate from DSS A and cannot prevent all further interactions caused by Operator A.

Tools Used

Manual Review

Recommended Mitigation Steps

The Core contract can be updated to add a function, which is similar to the Core.requestUpdateVaultStakeInDSS function, to only allow a DSS to request the unstaking of its associated operator's vault from such DSS and a function, which is similar to the Core.unregisterOperatorFromDSS function, to only allow a DSS to unregister its associated operator from such DSS.

Assessed type

Other
@c4-bot-3 c4-bot-3 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jul 30, 2024
c4-bot-3 added a commit that referenced this issue Jul 30, 2024
@c4-bot-3
rbserver issue #20
49e6234
@c4-bot-13 c4-bot-13 added 🤖_128_group AI based duplicate group recommendation 🤖_primary AI based primary recommendation labels Jul 30, 2024
@howlbot-integration howlbot-integration bot added the insufficient quality report This report is not of sufficient quality label Aug 1, 2024
@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Aug 11, 2024
@c4-judge
Copy link
Contributor

MiloTruck marked the issue as unsatisfactory:
Invalid

@MiloTruck
Copy link

Invalid. The README states:

The effects of jailing are also arbitrary and can be decided by the DSS. This can range from no rewards to not allowing the operator to perform any tasks and forcing them to unallocate from the DSS. Jailing is optional and is implemented inside the DSS contract and not the core contract.

"forcing them to unallocate from the DSS" is an example, it is not expected to be implemented in the in-scope code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working insufficient quality report This report is not of sufficient quality 🤖_primary AI based primary recommendation 🤖_128_group AI based duplicate group recommendation unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MiloTruck @c4-judge @c4-bot-3 @c4-bot-13