Pause/unpause mechanism not applied for `deposit` and `withdraw` in `PriorityPool`
Summary
In PriorityPool contract, pause/unpause mechanism is used to stop usage of the pool during merkle tree update.
However, the mechanism is not correctly applied to all sensitive functions of the contract including deposit and withdraw.
Vulnerability Details
In PriorityPool contract, most of core logic is implemented using merkle proof, such as deposit, withdraw, unqueueTokens, and claimLSDTokens.
The merkle root of the tree is updated by distribution oracle address through updateDistribution function.
To make it secure between merkle tree state transition, the update is done through two steps:
pauseForUpdate: Pause the protocol for updating the merkle treeupdateDistribution: Actually updates the state and unpause the protocol at the end
However, only unqueueTokens function checks if the protocol is paused or not. Other functions like deposit and withdraw does not check the paused status.
Impact
Inconsistent status transition between updates
Unauthorized access to the protocol during updates
Tools Used
Manual Review
Recommendations
Add whenNotPaused modifier to sensitive methods like deposit and withdraw.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.