Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Missing pause() / unpause() Functions

cipherhawk

Overview

The contract defines:

bool public paused;

modifier whenNotPaused() {

if (paused) revert ContractPaused();

}

Yet no external or internal functions ever modify the paused variable. Consequently, paused can never be changed from its default state (presumably false), rendering the whenNotPaused guard meaningless.

Attack Path / Demonstration

Here’s a minimal PoC concept:

Assumption: The contract’s owner finds a critical bug and wants to pause the contract to stop user calls to lock, increase, etc.
Reality: No function exists to call paused = true;. So the system continues operating, cannot be paused.

PoC in Foundry
test that queries the paused variable and tries to call an imaginary pause():

contract veRAACTokenPauseTest is Test {

veRAACToken public veToken;

function setUp() public {

// Deploy a minimal instance of veRAACToken

veToken = new veRAACToken(address(0x1234));

// paused is presumably false

// There's no pause() function we can call here

}

function testCannotPause() public {

// Attempting to call any hypothetical pause function reverts or doesn't exist

vm.expectRevert();

// There's no pause function in the contract

// e.g. veToken.pause(); // doesn't exist, fails

}

This trivial test demonstrates that no function to switch paused from false to true is present.

Impact

No Emergency Halt: If an exploit is discovered, owners cannot use the already-coded whenNotPaused guard to freeze user interactions.
False Sense of Security: The presence of a paused variable and whenNotPaused modifier might mislead developers or integrators into believing there is an actual pause mechanism.

Remediation

Implement standard pause/unpause methods:

function pause() external onlyOwner {

paused = true;

}

function unpause() external onlyOwner {

paused = false;

}

Then, the whenNotPaused checks become meaningful, allowing the contract to stop or resume operations as intended.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

veRAACToken lacks the ability to configure `paused` variable

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!