The Protocol is designed to allow an admin
to pause all markets
. However, the whenNotPaused
modifier is not applied consistently across all critical functions. This oversight can lead to market operations continuing even when they should be paused, potentially causing financial and security risks.
According to Contest Details, the admin is tasked with the ability to pause
all the markets:
However, the whenNotPaused
modifier is not applied to all critical functions that should be paused
during an emergency or maintenance. This modifier is only used in withdraw()
function.
whenNotPaused
Modifier:All functions that affect market operations should be protected by the whenNotPaused
modifier to ensure they cannot be executed when the contract is paused.
Market operations may continue even when the contract is supposed to be paused, leading to potential inconsistencies and operational/security issues.
Manual Review
Ensure that all functions affecting market operations are protected by the whenNotPaused
modifier to prevent their execution when the contract is paused
.
I believe this is informational and non-acceptable severity because: - A single pause on withdraw to be sufficient to pause the markets during times of emergencies, given that is the only function where collateral/point tokens/native ETH can be pulled from market transactions. - Every tadle market place can be switched offline by the admin via [`updateMarketPlaceStatus`](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/SystemConfig.sol#L160-L171) and is checked in market actions via [`checkMarketPlaceStatus`](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/libraries/MarketPlaceLibraries.sol#L54-L67) to be online. This prevents many major market actions including the creation, listing and settlement of offers.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.