fix(staking): S-1 LDV controller hijack + S-2 adapter swap-under-load (#127)

S-1 (LiquidDelegationVault.requestRedeem):
  An authorized operator (ERC-7540 `_operators[owner][caller]`) could file a
  redemption with `controller != owner`, then drive `redeem` to route assets
  anywhere. Now an operator-driven request must set `controller == owner`;
  owners filing on their own behalf may still pick any controller (the legit
  ERC-7540 aggregator-vault use case).

S-2 (StakingAssetsFacet.registerAdapter / removeAdapter):
  Switching adapters while the asset has live deposits silently strands
  balances in the old adapter or double-counts them in the new one. Both
  paths now revert with `AdapterChangeWhileDepositsExist(token, deposits)`
  when `currentDeposits != 0`. The M-8 migration framework
  (`startAdapterMigration` -> `completeAdapterMigration`) remains the
  intended drain path for live assets. The new error is exposed on
  `IMultiAssetDelegation` so the Rust bindings decode the revert.

Tests:
  - test_Vault_OperatorCannotPickArbitraryController_S1
  - test_Vault_OwnerMayPickArbitraryController_S1 (preserves legit case)
  - test_registerAdapter_blockedWhileDepositsExist_S2
  - test_removeAdapter_blockedWhileDepositsExist_S2
  - test_registerAdapter_allowedWhenDepositsAreZero_S2

Bindings: ABI regenerated; new custom error decoded by alloy. Version bump
deferred to whichever Round 4 PR lands last so we don't race four PRs onto
v0.15.0.

Author: drewstone

Cargo.lock

@@ -1 +1 @@
-5201cf08bbe64238f0533d113840d7280afdaa08
+98a5484534148b6b556085cf450ac5abb5e0d6b5

bindings/TNT_CORE_VERSION

@@ -4015,6 +4015,8 @@ library Types {
 }
 
 interface IMultiAssetDelegation {
+    error AdapterChangeWhileDepositsExist(address token, uint256 currentDeposits);
+
     event AdapterRegistered(address indexed token, address indexed adapter);
     event AdapterRemoved(address indexed token);
     event AssetDisabled(address indexed token);
@@ -7002,6 +7004,22 @@ interface IMultiAssetDelegation {
       }
     ],
     "anonymous": false
+  },
+  {
+    "type": "error",
+    "name": "AdapterChangeWhileDepositsExist",
+    "inputs": [
+      {
+        "name": "token",
+        "type": "address",
+        "internalType": "address"
+      },
+      {
+        "name": "currentDeposits",
+        "type": "uint256",
+        "internalType": "uint256"
+      }
+    ]
   }
 ]
 ```*/
@@ -7037,6 +7055,103 @@ pub mod IMultiAssetDelegation {
     );
     #[derive(serde::Serialize, serde::Deserialize)]
     #[derive(Default, Debug, PartialEq, Eq, Hash)]
+    /**Custom error with signature `AdapterChangeWhileDepositsExist(address,uint256)` and selector `0x0d136063`.
+```solidity
+error AdapterChangeWhileDepositsExist(address token, uint256 currentDeposits);
+```*/
+    #[allow(non_camel_case_types, non_snake_case, clippy::pub_underscore_fields)]
+    #[derive(Clone)]
+    pub struct AdapterChangeWhileDepositsExist {
+        #[allow(missing_docs)]
+        pub token: alloy::sol_types::private::Address,
+        #[allow(missing_docs)]
+        pub currentDeposits: alloy::sol_types::private::primitives::aliases::U256,
+    }
+    #[allow(
+        non_camel_case_types,
+        non_snake_case,
+        clippy::pub_underscore_fields,
+        clippy::style
+    )]
+    const _: () = {
+        use alloy::sol_types as alloy_sol_types;
+        #[doc(hidden)]
+        #[allow(dead_code)]
+        type UnderlyingSolTuple<'a> = (
+            alloy::sol_types::sol_data::Address,
+            alloy::sol_types::sol_data::Uint<256>,
+        );
+        #[doc(hidden)]
+        type UnderlyingRustTuple<'a> = (
+            alloy::sol_types::private::Address,
+            alloy::sol_types::private::primitives::aliases::U256,
+        );
+        #[cfg(test)]
+        #[allow(dead_code, unreachable_patterns)]
+        fn _type_assertion(
+            _t: alloy_sol_types::private::AssertTypeEq<UnderlyingRustTuple>,
+        ) {
+            match _t {
+                alloy_sol_types::private::AssertTypeEq::<
+                    <UnderlyingSolTuple as alloy_sol_types::SolType>::RustType,
+                >(_) => {}
+            }
+        }
+        #[automatically_derived]
+        #[doc(hidden)]
+        impl ::core::convert::From<AdapterChangeWhileDepositsExist>
+        for UnderlyingRustTuple<'_> {
+            fn from(value: AdapterChangeWhileDepositsExist) -> Self {
+                (value.token, value.currentDeposits)
+            }
+        }
+        #[automatically_derived]
+        #[doc(hidden)]
+        impl ::core::convert::From<UnderlyingRustTuple<'_>>
+        for AdapterChangeWhileDepositsExist {
+            fn from(tuple: UnderlyingRustTuple<'_>) -> Self {
+                Self {
+                    token: tuple.0,
+                    currentDeposits: tuple.1,
+                }
+            }
+        }
+        #[automatically_derived]
+        impl alloy_sol_types::SolError for AdapterChangeWhileDepositsExist {
+            type Parameters<'a> = UnderlyingSolTuple<'a>;
+            type Token<'a> = <Self::Parameters<
+                'a,
+            > as alloy_sol_types::SolType>::Token<'a>;
+            const SIGNATURE: &'static str = "AdapterChangeWhileDepositsExist(address,uint256)";
+            const SELECTOR: [u8; 4] = [13u8, 19u8, 96u8, 99u8];
+            #[inline]
+            fn new<'a>(
+                tuple: <Self::Parameters<'a> as alloy_sol_types::SolType>::RustType,
+            ) -> Self {
+                tuple.into()
+            }
+            #[inline]
+            fn tokenize(&self) -> Self::Token<'_> {
+                (
+                    <alloy::sol_types::sol_data::Address as alloy_sol_types::SolType>::tokenize(
+                        &self.token,
+                    ),
+                    <alloy::sol_types::sol_data::Uint<
+                        256,
+                    > as alloy_sol_types::SolType>::tokenize(&self.currentDeposits),
+                )
+            }
+            #[inline]
+            fn abi_decode_raw_validate(data: &[u8]) -> alloy_sol_types::Result<Self> {
+                <Self::Parameters<
+                    '_,
+                > as alloy_sol_types::SolType>::abi_decode_sequence_validate(data)
+                    .map(Self::new)
+            }
+        }
+    };
+    #[derive(serde::Serialize, serde::Deserialize)]
+    #[derive(Default, Debug, PartialEq, Eq, Hash)]
     /**Event with signature `AdapterRegistered(address,address)` and selector `0xc47df14ad9309b59073546f93dbe3115ed09c8b206d940f8441ddb07f745b10b`.
 ```solidity
 event AdapterRegistered(address indexed token, address indexed adapter);
@@ -31622,6 +31737,160 @@ function unpause() external;
             }
         }
     }
+    ///Container for all the [`IMultiAssetDelegation`](self) custom errors.
+    #[derive(Clone)]
+    #[derive(serde::Serialize, serde::Deserialize)]
+    #[derive(Debug, PartialEq, Eq, Hash)]
+    pub enum IMultiAssetDelegationErrors {
+        #[allow(missing_docs)]
+        AdapterChangeWhileDepositsExist(AdapterChangeWhileDepositsExist),
+    }
+    impl IMultiAssetDelegationErrors {
+        /// All the selectors of this enum.
+        ///
+        /// Note that the selectors might not be in the same order as the variants.
+        /// No guarantees are made about the order of the selectors.
+        ///
+        /// Prefer using `SolInterface` methods instead.
+        pub const SELECTORS: &'static [[u8; 4usize]] = &[[13u8, 19u8, 96u8, 99u8]];
+        /// The names of the variants in the same order as `SELECTORS`.
+        pub const VARIANT_NAMES: &'static [&'static str] = &[
+            ::core::stringify!(AdapterChangeWhileDepositsExist),
+        ];
+        /// The signatures in the same order as `SELECTORS`.
+        pub const SIGNATURES: &'static [&'static str] = &[
+            <AdapterChangeWhileDepositsExist as alloy_sol_types::SolError>::SIGNATURE,
+        ];
+        /// Returns the signature for the given selector, if known.
+        #[inline]
+        pub fn signature_by_selector(
+            selector: [u8; 4usize],
+        ) -> ::core::option::Option<&'static str> {
+            match Self::SELECTORS.binary_search(&selector) {
+                ::core::result::Result::Ok(idx) => {
+                    ::core::option::Option::Some(Self::SIGNATURES[idx])
+                }
+                ::core::result::Result::Err(_) => ::core::option::Option::None,
+            }
+        }
+        /// Returns the enum variant name for the given selector, if known.
+        #[inline]
+        pub fn name_by_selector(
+            selector: [u8; 4usize],
+        ) -> ::core::option::Option<&'static str> {
+            let sig = Self::signature_by_selector(selector)?;
+            sig.split_once('(').map(|(name, _)| name)
+        }
+    }
+    #[automatically_derived]
+    impl alloy_sol_types::SolInterface for IMultiAssetDelegationErrors {
+        const NAME: &'static str = "IMultiAssetDelegationErrors";
+        const MIN_DATA_LENGTH: usize = 64usize;
+        const COUNT: usize = 1usize;
+        #[inline]
+        fn selector(&self) -> [u8; 4] {
+            match self {
+                Self::AdapterChangeWhileDepositsExist(_) => {
+                    <AdapterChangeWhileDepositsExist as alloy_sol_types::SolError>::SELECTOR
+                }
+            }
+        }
+        #[inline]
+        fn selector_at(i: usize) -> ::core::option::Option<[u8; 4]> {
+            Self::SELECTORS.get(i).copied()
+        }
+        #[inline]
+        fn valid_selector(selector: [u8; 4]) -> bool {
+            Self::SELECTORS.binary_search(&selector).is_ok()
+        }
+        #[inline]
+        #[allow(non_snake_case)]
+        fn abi_decode_raw(
+            selector: [u8; 4],
+            data: &[u8],
+        ) -> alloy_sol_types::Result<Self> {
+            static DECODE_SHIMS: &[fn(
+                &[u8],
+            ) -> alloy_sol_types::Result<IMultiAssetDelegationErrors>] = &[
+                {
+                    fn AdapterChangeWhileDepositsExist(
+                        data: &[u8],
+                    ) -> alloy_sol_types::Result<IMultiAssetDelegationErrors> {
+                        <AdapterChangeWhileDepositsExist as alloy_sol_types::SolError>::abi_decode_raw(
+                                data,
+                            )
+                            .map(
+                                IMultiAssetDelegationErrors::AdapterChangeWhileDepositsExist,
+                            )
+                    }
+                    AdapterChangeWhileDepositsExist
+                },
+            ];
+            let Ok(idx) = Self::SELECTORS.binary_search(&selector) else {
+                return Err(
+                    alloy_sol_types::Error::unknown_selector(
+                        <Self as alloy_sol_types::SolInterface>::NAME,
+                        selector,
+                    ),
+                );
+            };
+            DECODE_SHIMS[idx](data)
+        }
+        #[inline]
+        #[allow(non_snake_case)]
+        fn abi_decode_raw_validate(
+            selector: [u8; 4],
+            data: &[u8],
+        ) -> alloy_sol_types::Result<Self> {
+            static DECODE_VALIDATE_SHIMS: &[fn(
+                &[u8],
+            ) -> alloy_sol_types::Result<IMultiAssetDelegationErrors>] = &[
+                {
+                    fn AdapterChangeWhileDepositsExist(
+                        data: &[u8],
+                    ) -> alloy_sol_types::Result<IMultiAssetDelegationErrors> {
+                        <AdapterChangeWhileDepositsExist as alloy_sol_types::SolError>::abi_decode_raw_validate(
+                                data,
+                            )
+                            .map(
+                                IMultiAssetDelegationErrors::AdapterChangeWhileDepositsExist,
+                            )
+                    }
+                    AdapterChangeWhileDepositsExist
+                },
+            ];
+            let Ok(idx) = Self::SELECTORS.binary_search(&selector) else {
+                return Err(
+                    alloy_sol_types::Error::unknown_selector(
+                        <Self as alloy_sol_types::SolInterface>::NAME,
+                        selector,
+                    ),
+                );
+            };
+            DECODE_VALIDATE_SHIMS[idx](data)
+        }
+        #[inline]
+        fn abi_encoded_size(&self) -> usize {
+            match self {
+                Self::AdapterChangeWhileDepositsExist(inner) => {
+                    <AdapterChangeWhileDepositsExist as alloy_sol_types::SolError>::abi_encoded_size(
+                        inner,
+                    )
+                }
+            }
+        }
+        #[inline]
+        fn abi_encode_raw(&self, out: &mut alloy_sol_types::private::Vec<u8>) {
+            match self {
+                Self::AdapterChangeWhileDepositsExist(inner) => {
+                    <AdapterChangeWhileDepositsExist as alloy_sol_types::SolError>::abi_encode_raw(
+                        inner,
+                        out,
+                    )
+                }
+            }
+        }
+    }
     ///Container for all the [`IMultiAssetDelegation`](self) events.
     #[derive(Clone)]
     #[derive(serde::Serialize, serde::Deserialize)]

bindings/abi/IMultiAssetDelegation.json

@@ -91,25 +91,45 @@ contract StakingAssetsFacet is StakingFacetBase, IFacetSelectors {
     /// @param token The token address
     /// @param adapter The adapter address
     /// @dev Adapter must support the token (checked via supportsAsset)
+    /// @dev Round 4 audit S-2: rejects when the asset has active deposits.
+    ///      Switching adapters under live balances either strands assets in the
+    ///      old adapter or double-counts them in the new one — `currentDeposits`
+    ///      is the protocol's accounting source of truth, so refuse the swap and
+    ///      route admins through `startAdapterMigration` (M-8) instead.
     function registerAdapter(address token, address adapter) external onlyRole(ASSET_MANAGER_ROLE) {
         require(token != address(0), "Cannot set adapter for native");
         require(adapter != address(0), "Invalid adapter");
-
-        // Verify adapter supports the token
         require(IAssetAdapter(adapter).supportsAsset(token), "Adapter doesn't support token");
 
+        bytes32 assetHash = _assetHash(Types.Asset(Types.AssetKind.ERC20, token));
+        uint256 deposits = _assetConfigs[assetHash].currentDeposits;
+        if (deposits != 0) revert AdapterChangeWhileDepositsExist(token, deposits);
+
         _assetAdapters[token] = adapter;
         emit AdapterRegistered(token, adapter);
     }
 
     /// @notice Remove adapter for a token (falls back to direct transfers)
     /// @param token The token address
+    /// @dev Round 4 audit S-2: same `currentDeposits == 0` gate as
+    ///      `registerAdapter`. Removing an adapter while balances are held there
+    ///      would silently strand them — admins should use
+    ///      `startAdapterMigration(token, address(0))` to drain first.
     function removeAdapter(address token) external onlyRole(ASSET_MANAGER_ROLE) {
         require(_assetAdapters[token] != address(0), "No adapter registered");
+
+        bytes32 assetHash = _assetHash(Types.Asset(Types.AssetKind.ERC20, token));
+        uint256 deposits = _assetConfigs[assetHash].currentDeposits;
+        if (deposits != 0) revert AdapterChangeWhileDepositsExist(token, deposits);
+
         delete _assetAdapters[token];
         emit AdapterRemoved(token);
     }
 
+    /// @notice Adapter changes are forbidden while the asset has live deposits.
+    /// @dev Use `startAdapterMigration` (M-8) for the controlled drain path.
+    error AdapterChangeWhileDepositsExist(address token, uint256 currentDeposits);
+
     /// @notice Set whether adapters are required for ERC20 deposits
     /// @param required If true, deposits revert when no adapter is registered
     function setRequireAdapters(bool required) external onlyRole(ASSET_MANAGER_ROLE) {

bindings/src/bindings/i_multi_asset_delegation.rs

@@ -249,6 +249,11 @@ interface IMultiAssetDelegation {
     function getAssetConfig(address token) external view returns (Types.AssetConfig memory);
     function registerAdapter(address token, address adapter) external;
     function removeAdapter(address token) external;
+
+    /// @notice Round 4 audit S-2: raw register/remove of an adapter is rejected
+    ///         while the asset has live deposits. Use the M-8 migration path
+    ///         (`startAdapterMigration` → `completeAdapterMigration`) instead.
+    error AdapterChangeWhileDepositsExist(address token, uint256 currentDeposits);
     function setRequireAdapters(bool required) external;
     function enableAssetWithAdapter(
         address token,