fix(StakeManager)!: don't allow registration of vaults with incorrect owners #85
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
0x-r4bbit
force-pushed
the
fix/vault-owner-bug
branch
from
569908b to
8e3447d
Compare
0x-r4bbit
commented
Dec 4, 2025
| function registerVault() external onlyNotEmergencyMode whenNotPaused onlyTrustedCodehash { | ||
| address vault = msg.sender; | ||
| function registerVault(address vault) external onlyNotEmergencyMode whenNotPaused onlyVaultFactory { | ||
| _onlyTrustedCodehash(vault.codehash); |
Member
Author
There was a problem hiding this comment.
@gravityblast as discussed, we could think about removing the onlyTrustedCodehash requirement now, but keeping it at least doesn't change the behaviour. We might introduce new bugs otherwise.
We probably want to be able to detect if an older vault is no longer trusted, which we can't if we only rely on onlyRegisteredVault.
0x-r4bbit
force-pushed
the
fix/vault-owner-bug
branch
from
8e3447d to
44329b7
Compare
… owners This commit fixes a bug that anyone can create `StakeVault`'s for anyone, which enables DDOSing other users. The fix is allowing registration of `StakeVault`'s in `StakeManager.registerVault()` only from a trusted address/account, which in our case is going to be the `VaultFactory`. Previously, we required that the sender needs a trusted codehash (which is any `StakeVault` source that we whitelist). While this ensures only correct `StakeVault`s are registered with the system, it doesn't prevent other users from creating vaults for other accounts, as setting the `owner` of a `StakeVault` is configurable in its initialization. The `VaultFactory` ensures that the account that creates the vault is also the owner of the vault. BREAKING CHANGES: - `StakeVault.register()` has been removed. Registration is now entirely done via `VaultFactory`. - `StakeManager.registerVault()` now takes the address of the vault to register as argument: ```diff - stakeManager.registerVault(); + stakeManager.registerVault(stakeVaultAddress); ``` Addresses Cyfrin/audit-2025-12-statusl2#1 Closes #72
0x-r4bbit
force-pushed
the
fix/vault-owner-bug
branch
from
44329b7 to
81c7b3d
Compare
Open
3esmit
approved these changes
Dec 8, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit fixes a bug that anyone can create
StakeVault's for anyone, which enables DDOSing other users.The fix is allowing registration of
StakeVault's inStakeManager.registerVault()only from a trusted address/account, which in our case is going to be theVaultFactory.Previously, we required that the sender needs a trusted codehash (which is any
StakeVaultsource that we whitelist). While this ensures only correctStakeVaults are registered with the system, it doesn't prevent other users from creating vaults for other accounts, as setting theownerof aStakeVaultis configurable in its initialization.The
VaultFactoryensures that the account that creates the vault is also the owner of the vault.BREAKING CHANGES:
StakeVault.register()has been removed. Registration is now entirely done viaVaultFactory.StakeManager.registerVault()now takes the address of the vault to register as argument:Addresses https://github.com/Cyfrin/audit-2025-12-statusl2/issues/1
Closes #72