Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Emergency Shutdown Should be Called only by an Emergency Admin Role inside the Boost

matin

Summary

Wrong role is set for making an emergency pause/unpause regarding the natspec comments.

Vulnerability Details

As it is defined in the GaugeController and also in the BaseGauge, there is a role named EMERGENCY_ADMIN which is responsible for making an emergency pause/unpause. This special role is defined inside the BoostController:

/// @notice Role identifier for emergency admin functions
bytes32 public constant EMERGENCY_ADMIN = keccak256("EMERGENCY_ADMIN");

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/governance/boost/BoostController.sol#L38

However, if we look at the function setEmergencyShutdown() inside the BoostController contract, this pattern does not comply here as the responsible role for this task is left to the MANAGER_ROLE. This makes a discrepancy between the natspec of the role definition.

Impact

Tools Used

Recommendations

Consider modifying the role inside the setEmergencyShutdown() in the BoostController contract.

- function setEmergencyShutdown(bool paused) external onlyRole(MANAGER_ROLE) {
+ function setEmergencyShutdown(bool paused) external onlyRole(EMERGENCY_ADMIN) {
if (paused) {
_pause();
} else {
_unpause();
}
emit EmergencyShutdown(msg.sender, paused);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!