Tadle

Tadle
DeFiFoundry
27,750 USDC
View results
Submission Details
Severity: low
Invalid

`Markets` are meant to be `pausable` yet `whenNotPaused` modifier is not applied satisfactorily

Summary

The Protocol is designed to allow an admin to pause all markets. However, the whenNotPaused modifier is not applied consistently across all critical functions. This oversight can lead to market operations continuing even when they should be paused, potentially causing financial and security risks.

Vulnerability Details

According to Contest Details, the admin is tasked with the ability to pause all the markets:

Admin (Trust)
- Pause all the markets

However, the whenNotPaused modifier is not applied to all critical functions that should be paused during an emergency or maintenance. This modifier is only used in withdraw() function.

Functions Missing whenNotPaused Modifier:

All functions that affect market operations should be protected by the whenNotPaused modifier to ensure they cannot be executed when the contract is paused.

Impact

Market operations may continue even when the contract is supposed to be paused, leading to potential inconsistencies and operational/security issues.

Tools Used

Manual Review

Recommendations

Ensure that all functions affecting market operations are protected by the whenNotPaused modifier to prevent their execution when the contract is paused.

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[invalid] finding-Rescuable-pause-no-effect

I believe this is informational and non-acceptable severity because: - A single pause on withdraw to be sufficient to pause the markets during times of emergencies, given that is the only function where collateral/point tokens/native ETH can be pulled from market transactions. - Every tadle market place can be switched offline by the admin via [`updateMarketPlaceStatus`](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/SystemConfig.sol#L160-L171) and is checked in market actions via [`checkMarketPlaceStatus`](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/libraries/MarketPlaceLibraries.sol#L54-L67) to be online. This prevents many major market actions including the creation, listing and settlement of offers.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.