TempleGold

Summary

Many functions do not have the whenNotPaused modifier.

Vulnerability Details

Using pause/unpause custom modifiers is a very popular practice in the field. Generally when it comes to staking the best practice and widely adopted design regarding such pausing modifiers is :

Contract has been paused due to any emergency.

• User shouldn't be able to stake after the pausing.

• User shouldn't be able to claim any rewards after the pausing.

• User should be allowed to withdraw his funds even after the contract has been paused.
  Now in the TempleGoldStaking.sol, these are the instances
  getReward,
  _getReward.

One of the well-known staking protocol GAMMA also implemented the same design choices into their staking contracts.

Note: All functions which allow users to withdraw their funds also call _getReward internally as you can see here in _withdrawFor
which gets called when the user use
withdraw,
withdrawAll

Even during migration of the contract _withdrawForgets called.

Impact

In case of emergency malicious actors would be able to claim rewards and withdraw funds which is against the intended design of the protocol.

Tools Used

Manual review

Recommendations

As all of the above-mentioned functions use _getReward under the hood, I recommend integrating a modifier into this function.
However, the general design is to allow users to take their funds back which in this case can't be done due to the migration design choice made by the protocol tho my recommendation would be to create a separate function emergencyWithdraw for any emergency scenarios.