Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Paused BaseGauge contract still allows staking and withdrawals

topstar

Summary

The BaseGauge contract allows users to stake and withdraw tokens without enforcing the whenNotPaused modifier. This means that even if the contract is paused, users can still perform these actions, potentially bypassing emergency controls.

Vulnerability Details

The stake and withdraw functions lack the whenNotPaused modifier from OpenZeppelin’s Pausable contract:

BaseGauge.sol

function stake(uint256 amount) external nonReentrant updateReward(msg.sender) {
function withdraw(uint256 amount) external nonReentrant updateReward(msg.sender) {

Since Pausable is implemented in the contract, it is expected that staking and withdrawing should be restricted when the contract is paused. However, without the whenNotPaused modifier, these functions remain accessible.

Impact

Users withdraw assets even if the contract is paused for security or governance reasons but cannot get accumulated rewards since getReward() has whenNotPaused modifier.

function getReward() external virtual nonReentrant whenNotPaused updateReward(msg.sender) {

Recommendations

Add whenNotPaused to both stake and withdraw functions.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BaseGauge::withdraw, stake, and checkpoint functions lack whenNotPaused modifier, allowing critical state changes even during emergency pause

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BaseGauge::withdraw, stake, and checkpoint functions lack whenNotPaused modifier, allowing critical state changes even during emergency pause

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.