Core Contracts

Summary

The BaseGauge contract features a whenNotPaused modifier that is currently only applied to the BaseGauge::getReward() and BaseGauge::voteDirection() function. This limited application of the pausing functionality could leave critical operations exposed during emergencies, potentially jeopardizing the safety of staked assets and reward distributions.

Vulnerability Details

The whenNotPaused modifier is used only in 2 functions first is getReward() function SLOC#327-347, which allows users Claims accumulated rewards:

and second is voteDirection() function SLOC#407-420, which allows users to vote on direction:

stake() and withdraw() functions that allow users to Stakes tokens in the gauge, and withdraw staked tokens are not protected by the pausing mechanism.

notifyRewardAmount()function facilitates the Notifies about new reward amount and is not covered by the pausing control.

Impact

The lack of comprehensive pause functionality exposes the contract to potential issues if the contract needs to be paused for maintenance or in response to an attack. By not restricting all non-migration functions during a pause, users can still interact with the contract in ways that may not be intended during a paused state, i.e. if an emergency occurs (e.g., a security vulnerability is discovered), the contract cannot be fully paused to protect funds and prevent unauthorized transactions. This could lead to:

1. Unauthorized withdrawals and claims of rewards during a security breach.

2. Potential loss of staked tokens and rewards if a vulnerability is exploited before a fix can be applied.

3. Increased risk to user assets, as pausing is a common safeguard to mitigate damage during incidents.

Tools Used

• Manual Review

Recommended Mitigation

Apply whenNotPaused modifier to mentioned critical functions.