Missing whenNotPaused Modifier in stake and withdraw Functions Enables Operations During Paused State
Summary
The BaseGauge.sol contract includes pausing functionality, typically intended to halt critical operations like staking and withdrawing during emergencies or maintenance. However, the stake and withdraw functions do not include the whenNotPaused modifier.
Vulnerability Details
The whenNotPaused modifier is generally part of a pause mechanism (e.g., from OpenZeppelin's Pausable contract) to restrict sensitive actions during emergencies. Its absence here allows critical operations to proceed when they should be suspended.
Impact
If the contract is paused due to a vulnerability or maintenance, malicious actors can still stake or withdraw, potentially exploiting ongoing issues.
Tools Used
Manual Review
Recommendations
Ensure both stake and withdraw functions include the whenNotPaused modifier.
Lead Judging Commences
BaseGauge::withdraw, stake, and checkpoint functions lack whenNotPaused modifier, allowing critical state changes even during emergency pause
BaseGauge::withdraw, stake, and checkpoint functions lack whenNotPaused modifier, allowing critical state changes even during emergency pause
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.