Submission Details
Severity:
Missing Pause Check in depositRAACFromPool Function in StabilityPool.sol
Summary
The depositRAACFromPool function in the StabilityPool contract lacks the whenNotPaused modifier. This would allow RAAC token deposits even when the contract is paused, potentially compromising security controls during emergency situations.
Vulnerability Details
In the StabilityPool contract, the depositRAACFromPool function is defined as, and lacks whenNotPaused:
```solidity
function depositRAACFromPool(uint256 amount) external onlyLiquidityPool validAmount(amount) {
uint256 preBalance = raacToken.balanceOf(address(this));
raacToken.safeTransferFrom(msg.sender, address(this), amount);
uint256 postBalance = raacToken.balanceOf(address(this));
if (postBalance != preBalance + amount) revert InvalidTransfer();
// TODO: Logic for distributing to managers based on allocation
emit RAACDepositedFromPool(msg.sender, amount);
}
```
Impact
Med/Low severity
The missing modifier allows RAAC token deposits to continue even when the contract is paused.
This could interfere with emergency procedures.
Tools Used
Manual code review
Recommendations
Add the whenNotPaused modifier to the depositRAACFromPool function:
```solidity
function depositRAACFromPool(uint256 amount) external
onlyLiquidityPool
whenNotPaused // @note, add this here
validAmount(amount)
{
uint256 preBalance = raacToken.balanceOf(address(this));
raacToken.safeTransferFrom(msg.sender, address(this), amount);
uint256 postBalance = raacToken.balanceOf(address(this));
if (postBalance != preBalance + amount) revert InvalidTransfer();
// TODO: Logic for distributing to managers based on allocation
emit RAACDepositedFromPool(msg.sender, amount);
}
```
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.