Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Bypass of Pause Functionality in `BoostController.sol::removeBoostDelegation` Function

chista0x

Summary

The BoostController contract implements the Pausable interface; however, the removeBoostDelegation function lacks proper pause restrictions. Despite documentation stating that "Emergency controls can pause all operations", this function remains accessible during a pause. This discrepancy allows state changes to critical global variables even during emergency conditions.

Vulnerability Details

In the BoostController.sol contract, the removeBoostDelegation function is not protected by any pause checks (e.g., if (paused()) revert EmergencyPaused();). Although the function is designed to remove an expired boost delegation, it also updates the global poolBoost variable by adjusting totalBoost, workingSupply, and lastUpdateTime. The absence of a pause check allows this function to be executed even when the contract is paused. This behavior directly contradicts the documented guarantee that emergency controls will halt all operations.

Codes:

contracts\core\governance\boost\BoostController.sol

contract BoostController is IBoostController, ReentrancyGuard, AccessControl, Pausable {
...
function removeBoostDelegation(address from) external override nonReentrant {
UserBoost storage delegation = userBoosts[from][msg.sender];
if (delegation.delegatedTo != msg.sender) revert DelegationNotFound();
if (delegation.expiry > block.timestamp) revert InvalidDelegationDuration();
// Update pool boost totals before removing delegation
PoolBoost storage poolBoost = poolBoosts[msg.sender];
if (poolBoost.totalBoost >= delegation.amount) {
poolBoost.totalBoost -= delegation.amount;
}
if (poolBoost.workingSupply >= delegation.amount) {
poolBoost.workingSupply -= delegation.amount;
}
poolBoost.lastUpdateTime = block.timestamp;
emit DelegationRemoved(from, msg.sender, delegation.amount);
delete userBoosts[from][msg.sender];
}

Impact

Exploiting this vulnerability could lead to:

  • Inconsistent Global State: Unauthorized updates to the poolBoost variable may lead to unintended alterations in the pool’s boost calculations, potentially affecting reward distributions or other critical functionalities.

  • Operational Risks During Emergencies: The ability to modify key state variables during a pause undermines emergency controls, possibly leading to further exploitation or disruption of the system during critical situations.

  • Potential for Systemic Abuse: Attackers could leverage this inconsistency to manipulate boost-related metrics, impacting the overall integrity and fairness of the reward system.

Tools Used

Manual

Recommendations

  • Implement Pause Checks: Add the whenNotPaused modifier to the removeBoostDelegation function to ensure that it cannot be executed when the contract is paused.

  • Review Global State Updates: Reevaluate the logic for updating the poolBoost variable to ensure that any state changes made during emergency conditions do not compromise the integrity of the contract.

  • Align with Documentation: Adjust the contract behavior to fully comply with the promise that "Emergency controls can pause all operations."

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BoostController::removeBoostDelegation lacks pause check, allowing state modifications during emergency pauses and undermining contract safety mechanisms

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!