Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Contracts RWAGauge and RAACGauge cant be paused until EMERGENCY_ADMIN role is assigned.

akioniace

Summary

BaseGauge::setEmergencyPaused function will not work until the DEFAULT_ADMIN_ROLE assign the EMERGENCY_ADMIN role to someone.

Vulnerability Details

BaseGauge deploy contract with role based where we can see that function BaseGauge::setEmergencyPaused is used for emergency pause the contracts critical function and halt the operations, and it is callable by only EMERGENCY_ADMIN , this function will not work until the DEFAULT_ADMIN grants the EMERGENCY_ADMIN to someone who can call this function and pause the contracts on emergency time.

// File: contracts/core/governance/gauges/BaseGauge.sol
function setEmergencyPaused(bool paused) external {
if (!hasRole(EMERGENCY_ADMIN, msg.sender)) revert UnauthorizedCaller(); // <@ POC
if (paused) {
_pause();
} else {
_unpause();
}
}

Impact

What if the owner forget to grant the EMERGENCY_ADMIN role after contract deployment and need RAACGauge or RWAGauge contracts needs emergency pause, Until the owner grants someone the EMERGENCY_ADMIN role, RAACgauge or RWAGauge can't be paused.

Tools Used

  • Manual Review

Recommended Mitigation

In Basegauge::constructor add this.

constructor(
address _rewardToken,
address _stakingToken,
address _controller,
uint256 _maxEmission,
uint256 _periodDuration
+ address _emergencyAdminAddress,
) {
.
.
.
// Initialize roles
_grantRole(DEFAULT_ADMIN_ROLE, msg.sender);
_grantRole(CONTROLLER_ROLE, _controller);
+ _grantRole(EMERGENCY_ADMIN, _emergencyAdminAddress)
.
.
.
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!