Users Can Stake Tokens Even When Contract Is Paused
Summary
The stake function in BaseGauge does not enforce a pause check, allowing users to continue staking even when the contract is paused. This contradicts the expected behavior of a paused contract, where staking operations should be temporarily halted.
Vulnerability Details
The function currently lacks a whenNotPaused modifier or a manual check for the paused state:
Impact
Users can unknowingly stake in a paused contract, leading to unexpected behavior.
Potential security risks if pausing was meant to prevent further interactions due to an emergency situation.
Violation of expected contract behavior, reducing trust and reliability.
Tools Used
Manual code review.
Recommendations
Enforce a pause check using either:
Adding the
whenNotPausedmodifier:function stake(uint256 amount) external nonReentrant whenNotPaused updateReward(msg.sender) {Explicitly reverting if paused:
if (paused()) revert ContractPaused();
Lead Judging Commences
BaseGauge::withdraw, stake, and checkpoint functions lack whenNotPaused modifier, allowing critical state changes even during emergency pause
BaseGauge::withdraw, stake, and checkpoint functions lack whenNotPaused modifier, allowing critical state changes even during emergency pause
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.