Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

VeRaactoken can never be paused

calc1f4r

Summary

The veRAACToken contract implements pause-related state variables and modifiers but lacks the actual functionality to pause and unpause the contract, rendering the emergency pause mechanism ineffective.

Vulnerability Details

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/tokens/veRAACToken.sol#L103

  1. A paused state variable that tracks the contract's pause status

  2. A whenNotPaused modifier that's used on critical functions like lock(), increase(), and extend()

  3. No functions to actually modify the paused state

This means that:

  • The paused variable remains in its default state (false) indefinitely

  • The whenNotPaused modifier will never prevent function execution

  • There's no way for the contract owner to pause the contract in case of emergencies

Impact

  • High severity due to the inability to pause the contract during emergencies

  • In case of discovered vulnerabilities, there's no way to temporarily halt operations

Recommendations

function pause() external onlyOwner {
paused = true;
emit Paused(msg.sender);
}
function unpause() external onlyOwner {
paused = false;
emit Unpaused(msg.sender);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

veRAACToken lacks the ability to configure `paused` variable

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.