Description

When a service is removed from the ServiceRegistry, account owners lose the ability to revoke authorizations previously granted to that service. The revokeOperatorBorrowing function validates that the service is still registered, causing revocation to fail for removed services:

function revokeOperatorBorrowing(address service) external onlyOwner {
!   _validateServiceInRegistry(service);
    [...]
}
[...]
function _validateServiceInRegistry(address service) internal view {
    IServiceRegistry registry = _registry();
!   if (!registry.isServiceRegistered(service)) {
        revert ManagementAccountErrors.ServiceNotRegistered(service);
    }
    if (!registry.isServiceActive(service)) {
        revert ManagementAccountErrors.ServiceInactive(service);
    }
}

Impact

Authorizations granted to removed services cannot be revoked and remain active on lending protocols indefinitely. Removed or compromised services retain the ability to borrow against user collateral, with no mechanism for users to clean up these permissions.

Recommendations

Remove the registry validation check from revokeOperatorBorrowing:

function revokeOperatorBorrowing(address service) external onlyOwner {
-   _validateServiceInRegistry(service);
+   if (!_approvedServices.contains(service)) {
+       revert ManagementAccountErrors.ServiceNotApproved(service);
+   }
    [...]
}

The check against _approvedServices is sufficient to ensure the service was previously authorized.

Remediation

This issue has been acknowledged by Hyperbeat, and fixes were implemented in the following commits:

• e6ee645d↗
• 12f34557↗