Bypass of contract pause in `onTokenTransfer`
Summary
The pauseForUpdate function is designed to pause all queueing and unqueueing operations in the contract to allow for the generation of a new merkle tree. However, this pause can be bypassed through the onTokenTransfer function in the PriorityPool contract.
Where it Occurs?
The vulnerability is present in the onTokenTransfer function, which can be executed even when the contract is paused. This function calls the _withdraw function, which alters the contract's state.
Actual Cause
The onTokenTransfer function does not check if the contract is paused before executing its operations. As a result, it allows users to queue withdrawals and affect the totalQueued amount, bypassing the pauseForUpdate function's restrictions.
Impact
This flaw compromises the contract's intended pause mechanism. Users can still queue withdrawals or reduce the total queued amount while the contract is supposed to be in a paused state, potentially affecting the correctness of the merkle tree generation and the integrity of contract operations during updates.
Recommendations
Implement a pause check in the
onTokenTransferfunction to ensure that no actions can be taken while the contract is paused.Modify the
_withdrawfunction to respect the paused state of the contract, preventing state changes during updates.
By implementing these recommendations, the contract's pause mechanism will function as intended, maintaining the integrity of the update process.
Lead Judging Commences
[INVALID] Bypass of contract pause in `onTokenTransfer` - Tokens can be queued for withdrawal
Appeal created
[INVALID] Bypass of contract pause in `onTokenTransfer` - Tokens can be queued for withdrawal
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.