Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Pausability cannot be set in Rescuable contract which may impact the contracts in scope

abaikunanbaev

Summary

In Rescuablesmart contract which is a helper contract that is used by other contracts as a helper functionality there is a setPauseStatus()function meaning the contract must be paused in emergency situations when needed. The problem is that there is no whenNotPausedmodifier meaning that no functionality can be paused.

Vulnerability Details

Take a look at the setPauseStatus():

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/utils/Rescuable.sol#L46-55

/**

* @notice The caller must be the owner.

* @dev Sets the pause status.

* @param pauseSatus The new pause status.

function setPauseStatus(bool pauseSatus) external onlyOwner {

if (pauseSatus) {

_pause();

} else {

_unpause();

}

emit SetPauseStatus(pauseSatus);

}

The problem is that to use the pausing functionality, whenNotPausedmodifier should be implemented on one of the functions. As the contract has important transfer functions that other contracts in-scope implement, the pausability cannot be used to handle emergency situations.

Impact

No functionality can be paused which is not the expected behavior.

Tools Used

Manual review.

Recommendations

Add whenNotPausedmodifier where it's needed.

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[invalid] finding-Rescuable-pause-no-effect

I believe this is informational and non-acceptable severity because: - A single pause on withdraw to be sufficient to pause the markets during times of emergencies, given that is the only function where collateral/point tokens/native ETH can be pulled from market transactions. - Every tadle market place can be switched offline by the admin via [`updateMarketPlaceStatus`](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/SystemConfig.sol#L160-L171) and is checked in market actions via [`checkMarketPlaceStatus`](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/libraries/MarketPlaceLibraries.sol#L54-L67) to be online. This prevents many major market actions including the creation, listing and settlement of offers.

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.