Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of pausing for critical functions risks loss of funds

x18a6

Summary

Rescuable.sol features a pausing mechanism that is currently only applied to TokenManager::withdraw(...) function. Several critical functions are not protected by a whenNotPaused modifier and could be exposed during emergency pausing.

Vulnerability Details

Quoting README.md:

Actors

Admin:

...

* Pause all the markets

We demonstrate that markets can not be paused by owner.

The whenNotPaused modifier is used only in the TokenManager::withdraw(...) function:

function withdraw(

address _tokenAddress,

TokenBalanceType _tokenBalanceType

) external whenNotPaused {

...

}

Here's a list of the CRITICAL functions in the PreMarkets contract that are not covered with the pausing mechanism:

createOffer: Initiates a new offer with collateral deposit.
createTaker: Allows a user to take an existing offer, transferring tokens.
listOffer: Enables listing of a bid offer, potentially with additional collateral.
closeOffer: Cancels an offer and refunds collateral.
relistOffer: Reactivates a previously cancelled offer, requiring collateral redeposit.
abortAskOffer: Terminates an ask offer, refunding remaining collateral.
abortBidTaker: Cancels a bid taker position, refunding the taker.

These functions handle critical operations involving token transfers, collateral management, and offer state changes. The same case could be made for the rest of contracts in the code-base with critical functions, e.g., TokenManager itself.

Impact

The lack of pausing exposes critical fund flows during emergencies, introducing serious problmes. e.g., loss of funds from continued trading despite the protocol being compromised.

Tools Used

Manual review.
OpenZeppelin docs.

Recommendations

Apply whenNotPaused modifier to critical functions.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[invalid] finding-Rescuable-pause-no-effect

I believe this is informational and non-acceptable severity because: - A single pause on withdraw to be sufficient to pause the markets during times of emergencies, given that is the only function where collateral/point tokens/native ETH can be pulled from market transactions. - Every tadle market place can be switched offline by the admin via [`updateMarketPlaceStatus`](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/SystemConfig.sol#L160-L171) and is checked in market actions via [`checkMarketPlaceStatus`](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/libraries/MarketPlaceLibraries.sol#L54-L67) to be online. This prevents many major market actions including the creation, listing and settlement of offers.

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!