Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing Pause Mechanism in LendingPool.sol Leads to Unrecoverable Crashes

petesol

Summary

The LendingPool.sol contract lacks a pause() function, meaning if a critical bug or exploit is found, the protocol cannot be temporarily halted to protect funds.

Vulnerability Details

No Circuit Breaker in Critical Lending Functions

  • If an exploit is found, the lending pool cannot be stopped, allowing funds to be continuously drained.

  • DeFi hacks happen in seconds—without a pause function, there is no way to mitigate live attacks.

PoC

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "../contracts/pools/LendingPool.sol";
contract MassWithdrawalExploit {
LendingPool public target;
constructor(address _target) {
target = LendingPool(_target);
}
function attack(uint256 amount) external {
target.withdraw(amount); // No pause protection!
}
}

Impact

  • Mass Withdrawal Exploit – If an attack is ongoing, all liquidity can be drained before mitigation.

  • No Emergency Response – Admins cannot stop functions to protect user funds.

Tools Used

  • Manual Review – Found missing pause() function.

  • Slither – Detected lack of emergency stop functions.

Recommendations

  • Implement OpenZeppelin’s Pausable Modifier

function deposit(uint256 amount) external whenNotPaused {
// Normal function execution
}

  • Allow Governance or Multi-Sig to Pause the Contract in Emergencies

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!