Missing Pause and UnPause Implementation in PriorityPool Contract
Summary
The PriorityPool contract is designed to inherit the functionality of the Pausable contract, which allows the contract to enter a paused state during unexpected or malicious activities. However, the pause and unpause functions are not directly implemented in the PriorityPool contract. Instead, these functions can only be triggered by the DistributionOracle.
This introduces a reliance on an external entity (the DistributionOracle) to activate or deactivate the pause mechanism, rather than allowing the contract's own privileged roles (like an owner or admin) to manage this critical functionality.
Vulnerability Details
The contract's ability to pause or unpause is dependent on the external DistributionOracle, meaning no direct control of this functionality exists within the PriorityPool itself. If the oracle fails, or if an immediate pause is required due to unforeseen issues, the system may not be able to respond quickly enough.
Impact
Delayed Response to Critical Issues: By outsourcing the pausing functionality to the DistributionOracle, the contract itself lacks autonomy in responding to emergencies. If the oracle is delayed or compromised, the PriorityPool will not be able to promptly pause its functions, exposing it to potential risks such as exploits or unauthorized withdrawals.
Tools Used
Manual Review
Recommendations
Add pause and unpause functions within the PriorityPool contract itself, allowing contract owners or admins to trigger the pausing mechanism independently of the DistributionOracle.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.