Summary

The TempleGoldStaking.sol contract features a whenNotPaused modifier that is currently only applied to the stakeFor() function. This limited application of the pausing functionality could leave critical operations exposed during emergencies, potentially jeopardizing the safety of staked assets and reward distributions.

Vulnerability Details

The whenNotPaused modifier is used only in the stakeFor() function, which allows users to stake tokens:

withdraw() and withdrawAll() functions that allow users to withdraw staked tokens and claim rewards are not protected by the pausing mechanism.

getReward()function facilitates the claiming of rewards and is not covered by the pausing control.

distributeRewards()anddistributeGold() reward distribution functions are also not pausable.

Impact

The lack of comprehensive pause functionality exposes the contract to potential issues if the contract needs to be paused for maintenance or in response to an attack. By not restricting all non-migration functions during a pause, users can still interact with the contract in ways that may not be intended during a paused state, i.e. if an emergency occurs (e.g., a security vulnerability is discovered), the contract cannot be fully paused to protect funds and prevent unauthorized transactions. This could lead to:

Unauthorized withdrawals and claims of rewards during a security breach.

Potential loss of staked tokens and rewards if a vulnerability is exploited before a fix can be applied.

Increased risk to user assets, as pausing is a common safeguard to mitigate damage during incidents.

Tools Used

Manual review.

Recommendations

Apply whenNotPaused modifier to mentioned critical functions.