Users can withdraw their assets when the contract is in the paused state
Summary
Users can withdraw their assets when the contract is in the paused state
Vulnerability Detail
the contract inherits the pausable contract to allow the contract to prevent swaps as stated by comments, what i take from this, is that the protocol does not want assets entering or leaving the contract.
The problem occurs becauser the whenNotPaused modifier is only added to the stakeFor function, this function is not added to the _withdrawFor function. this will allow the out flow of temple token from the contract when it is in paused state.It is recommended for the protocol to implement the whenNotPaused modifier to this function in order to stop an exploit while it is happening and to ensure safety of temple tokens
Impact
Lack of whenNotPaused modifier when withdrawing could cause the protocol to not stop an exploit while its happening and cause security concerns.
Code Snippet
Tool used
Manual Review
Recommendation
add whenNotPaused modifier to _withdrawFor
Lead Judging Commences
Only migrator should be able to perform actions when contract is paused.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.