Submission Details
Severity:
Missing Pause Check in `stake()` Function
Summary
The stake() function does not check if the protocol is paused, allowing users to stake even when the protocol is meant to be halted.
Vulnerability Details
The function lacks a paused() check, meaning staking remains accessible even if other protocol functions are paused. This could lead to unintended staking during emergency situations.
/contracts/core/governance/gauges/BaseGauge.sol:261
261: function stake(uint256 amount) external nonReentrant updateReward(msg.sender) {
262: if (amount == 0) revert InvalidAmount();
263: _totalSupply += amount;
264: _balances[msg.sender] += amount;
265: stakingToken.safeTransferFrom(msg.sender, address(this), amount);
266: emit Staked(msg.sender, amount);
267: }
Impact
Users may stake assets in an paused state.
Tools Used
Manual Review
Recommendations
Add whenNotPaused modifier in the stake() function to ensure consistency with protocol controls.
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
BaseGauge::withdraw, stake, and checkpoint functions lack whenNotPaused modifier, allowing critical state changes even during emergency pause
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
BaseGauge::withdraw, stake, and checkpoint functions lack whenNotPaused modifier, allowing critical state changes even during emergency pause
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.