Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

missing emergency stop mechanism in Zaros Protocol

0xubermensch

Summary

the protocol lacks an emergency stop mechanism, meaning that in case of an exploit, price manipulation, or unexpected contract behavior, there is no way to halt deposits, withdrawals, or transactions. This exposes the system to potential infinite exploitation, which could lead to loss of user funds.

Impact

risk of Oracle Manipulation: Attackers can exploit faulty price feeds and withdraw excessive funds.

no Recovery in Case of Bug: If an internal bug is found, the team cannot stop it.

regulatory Non-Compliance: Many DeFi protocols require a circuit breaker for legal compliance.

Tools Used

Manual

Migration

add Pausable to ZlpVault.sol and MarketMakingEngine.sol to allow an admin or governance multisig to halt the system in emergencies.

import "@openzeppelin/contracts/security/Pausable.sol";
contract ZlpVault is Pausable {
function deposit(uint256 assets, address receiver) public override onlyMarketMakingEngine whenNotPaused returns (uint256) {
return super.deposit(assets, receiver);
}
function pause() external onlyOwner {
_pause();
}
function unpause() external onlyOwner {
_unpause();
}

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.