Core Contracts

Summary

In the BaseGauge.sol contract the stake function does not check if the gauge has been shut down by the admin through the emergencyShutdown function in the GaugeController, allowing users to continue staking even when the gauge is supposed to be inactive.

Vulnerability Details

The vulnerability arises from the stake function, which allows users to stake tokens in the gauge. However, there is no check to verify if the gauge has been shut down by the admin through the emergencyShutdown function in the GaugeController. This omission allows users to continue staking tokens even when the gauge is supposed to be inactive, undermining the emergency controls put in place by the protocol.

Example Scenario

Consider the following scenario:

1. The admin uses the emergencyShutdown function in the GaugeController to shut down a gauge due to an emergency or critical issue.

2. Despite the shutdown, users can still call the stake function in the BaseGauge contract to stake tokens.

3. This leads to an inconsistency where the gauge is supposed to be inactive, but users are still able to interact with it and stake tokens.

Impact

By allowing users to continue staking tokens in a shut-down gauge, the protocol's emergency controls are undermined. This can lead to potential financial losses, as users may stake tokens in a gauge that is not supposed to be active. It also creates operational inconsistencies and can complicate the resolution of the emergency situation.

Tools Used

Manual Review

Recommendations

To mitigate this vulnerability, add a check in the stake function to verify if the gauge has been shut down by the admin through the emergencyShutdown function in the GaugeController.