Lack of Emergency Pause Mechanism Across Protocol
Summary
The protocol lacks an emergency pause mechanism across all core contracts (MembershipFactory, OWPIdentity, CurrencyManager), making it impossible to halt operations during critical security incidents or when vulnerabilities are discovered. This creates a significant security risk as there's no way to prevent exploitation while fixes are being developed.
Vulnerability Details
The core contracts lack any pause functionality:
// MembershipFactory.sol
contract MembershipFactory {
function createNewDAOMembership(...) external {
// No pause check
}
function joinDAO(...) external {
// No pause check
}
}
// OWPIdentity.sol
contract OWPIdentity {
function mint(...) public onlyRole(MINTER_ROLE) {
// No pause check
}
function burn(...) public onlyRole(MINTER_ROLE) {
// No pause check
}
}
// CurrencyManager.sol
contract CurrencyManager {
function addCurrency(...) external {
// No pause check
}
function removeCurrency(...) external {
// No pause check
}
}
Impact
No ability to stop operations if vulnerabilities are discovered
Continuous exploitation possible during incident response
No emergency controls during critical updates
Financial losses cannot be prevented during active exploits
Potential for cascading failures across interconnected contracts
Tools Used
Manual Review
Recommendations
Implement OpenZeppelin's Pausable contract across all core contracts:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.