Missing `whenNotPaused` Modifiers in `PriorityPool` Contract
Description
The PriorityPool contract extends PausableUpgradeable, a feature that enables administrators to pause the contract’s critical functions during emergencies or for scheduled maintenance. However, functions like deposit, withdraw, claimLSDTokens, and unqueueTokens do not enforce the whenNotPaused modifier.
Impacted Functions:
deposit(uint256 _amount, bool _shouldQueue, bytes[] calldata _data)
withdraw(uint256 _amountToWithdraw, uint256 _amount, uint256 _sharesAmount, ...)
claimLSDTokens(uint256 _amount, uint256 _sharesAmount, bytes32[] calldata _merkleProof)
unqueueTokens(uint256 _amountToUnqueue, uint256 _amount, ...)
This missing check means that even when the contract is paused, users could still interact with the protocol through these functions. This exposes the protocol to operational risks, such as users can manipulate deposits and withdrawals when the system is expected to be frozen. And administrators cannot temporarily halt critical operations during upgrades or emergencies.
Impact
Allows deposits, withdrawals, or claims during paused periods, creating operational inconsistencies and security risks. Exploitation is possible if the system enters a paused state without restricting these functionalities.
Tools Used
Manual Review
Recommendations
Apply the whenNotPaused modifier to critical external functions that should not execute when the contract is paused.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.