Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Pause, unpause and are not set correctly in PriorityPool

kwakudr

Summary

Pause, unpause and _requireNotPaused are not set correctly in PriorityPool. Current implementation is not effective meaning they don't do what they are supposed to do.

Vulnerability Details

According to openzeppelin:

This module is used through inheritance. It will make available the
modifiers whenNotPaused and whenPaused, which can be applied to
the functions of your contract. Note that they will not be pausable by
simply including this module, only once the modifiers are put in place.
*/

function withdraw(

uint256 _amountToWithdraw,

uint256 _amount,

uint256 _sharesAmount,

bytes32[] calldata _merkleProof,

bool _shouldUnqueue,

bool _shouldQueueWithdrawal

) external {

if (_amountToWithdraw == 0) revert InvalidAmount();

uint256 toWithdraw = _amountToWithdraw;

address account = msg.sender;

// attempt to unqueue tokens before withdrawing if flag is set

if (_shouldUnqueue == true) {

_requireNotPaused();

function unqueueTokens(

uint256 _amountToUnqueue,

uint256 _amount,

uint256 _sharesAmount,

bytes32[] calldata _merkleProof

) external whenNotPaused {

if (_amountToUnqueue == 0) revert InvalidAmount();

if (_amountToUnqueue > totalQueued) revert InsufficientQueuedTokens();

You can see these implementations will not do what they are supposed to do because of incorrect implementation. They are not set up correctly according to the openzeppelin docs. This would be a high security issue since circuit breakers will not work in emergency situations.

Impact

withdrawals, deposits and other calls will happen when the protocol should be paused. Current implementation means they will be bypassed in emergency situations which is not intended.

Tools Used

Manual Review

Recommendations

Add the modifiers and set them correctly

/**

* @dev Modifier to make a function callable only when the contract is not paused.

* Requirements:

* - The contract must not be paused.

modifier whenNotPaused() {

_requireNotPaused();

}

/**

* @dev Modifier to make a function callable only when the contract is paused.

* Requirements:

* - The contract must be paused.

modifier whenPaused() {

_requirePaused();

}

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.