Absence of `whenNotPaused` check in `stake` function of `BaseGauge` could put users' funds at risk during an emergency pause
Description
The BaseGauge contract includes security mechanisms to handle emergencies, one of which is the setEmergencyPaused function. This function is intended to pause all operations, preventing user interactions with the contract during emergencies, as stated in the documentation:
Emergency pause stops all operations
However, the stake function does not check whether the contract is paused, allowing users to interact with it even during an emergency pause. The absence of this check could result in users unintentionally putting their funds at risk during an emergency scenario.
Context
Impact
Medium. Users may inadvertently stake tokens even during an emergency, potentially placing their funds at risk. Additionally, the documentation explicitly states that an emergency pause should stop all operations, yet the stake function remains operational.
Likelihood
Medium. While the stake function remains accessible during an emergency pause, the occurrence of an emergency itself is relatively more unlikely.
Recommendation
Apply the whenNotPaused modifier to the stake function to ensure users cannot interact with the contract during an emergency pause, aligning with the documented behavior and preventing potential risks.
Lead Judging Commences
BaseGauge::withdraw, stake, and checkpoint functions lack whenNotPaused modifier, allowing critical state changes even during emergency pause
BaseGauge::withdraw, stake, and checkpoint functions lack whenNotPaused modifier, allowing critical state changes even during emergency pause
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.