TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Users are able to withdraw and claim even when `TempleGoldStaking` is paused

Triad of Trust

Summary

When TempleGoldStaking is paused users are still capable of withdrawing their staking tokens and claim their rewards.

Vulnerability Details

The functions TempleGoldStaking::withdraw and TempleGoldStaking::withdrawAll both call the internal helper function TempleGoldStaking::_withdrawFor, which lacks the modifier whenNotPaused making them able to be called even when the contract is paused. Also when users are withdrawing, TempleGoldStaking::_getReward gets called inside _withdrawFor allowing users to claim rewards when the contract is paused.

Impact

pause and unpause are usually used in emergency situations where the protocol needs to stop everything in motion. If an issue arises where all action needs to halt, allowing users to still be able to withdraw and claim rewards could be detrimental.

Tools Used

Foundry

Recommendations

Add the whenNotPaused function to _withdrawFor and _getReward

- function _getReward(address staker, address rewardsToAddress, uint256 index) internal {
+ function _getReward(address staker, address rewardsToAddress, uint256 index) internal whenNotPaused {
....
}
- function _withdrawFor() internal updateReward(staker, stakeIndex) {
+ function _withdrawFor() internal whenNotPaused updateReward(staker, stakeIndex) {
....
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Only migrator should be able to perform actions when contract is paused.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.