Activities in Paused Gauges continues aside from getting rewards and voting on directions
Summary
When any of the gauge contracts are paused, it does not stop all of the activities in the contract. This implies that when the contract faces an emerygency state, users can still interact with the contract.
Vulnerability Details
The EMERGENCY_ROLE has the ability to pause the gauges in times of emergency. When gauge is paused, only rewards won't be possible to get and denial on voting for directions. This opens the contract to continuous activity even when there is no assurance of interacting with contract to gain accumulated rewards or vote on direction.
Also observe who can call emergencyWithdraw. This is the DEFAULT_ADMIN as against the address assigned to perform emergency operations.
Impact
Denial of accumulated rewards when contract is paused forever (safety from exploit)
Vote on direction.
Tools Used
Manual review.
Recommendations
Add a whenNotPaused to every critical functions in the contract. This is if an exploit occurs on the contract and emergency role save by pausing, users will not continue to interact with a contract where their rewards will remain unclaimable.
Make the real assigned role to perform emergency roles.
Lead Judging Commences
BaseGauge::withdraw, stake, and checkpoint functions lack whenNotPaused modifier, allowing critical state changes even during emergency pause
BaseGauge::withdraw, stake, and checkpoint functions lack whenNotPaused modifier, allowing critical state changes even during emergency pause
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.