Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Inconsistent Pause Protection Allows Staking Operations During Market Freeze

0xgee001

Summary:

The BaseGauge contract's stake() and withdraw() functions lack proper pause protection, allowing users to modify staking positions while other critical functions like rewards and voting are frozen. This creates an inconsistency in the pause mechanism and potential for position manipulation during market stress.

Vulnerability Details:

In the BaseGauge contract:

// Stake function missing whenNotPaused modifier

function stake(uint256 amount) external nonReentrant updateReward(msg.sender) {

if (amount == 0) revert InvalidAmount();

totalSupply += amount;

balances[msg.sender] += amount;

stakingToken.safeTransferFrom(msg.sender, address(this), amount);

emit Staked(msg.sender, amount);

}

// Withdraw function missing whenNotPaused modifier

function withdraw(uint256 amount) external nonReentrant updateReward(msg.sender) {

if (amount == 0) revert InvalidAmount();

if (balances[msg.sender] < amount) revert InsufficientBalance();

totalSupply -= amount;

balances[msg.sender] -= amount;

stakingToken.safeTransfer(msg.sender, amount);

emit Withdrawn(msg.sender, amount);

}

// Other functions properly protected

function getReward() external virtual nonReentrant whenNotPaused updateReward(msg.sender) {

// ... reward claim logic

}

function voteDirection(uint256 direction) public whenNotPaused updateReward(msg.sender) {

// ... voting logic

}

This inconsistency means:

Users can still stake/unstake during market emergencies
Position changes allowed while rewards frozen
Voting weight can be manipulated while voting paused
Breaks the intended market freeze mechanism

Impact:

Inconsistent protocol behavior during emergencies
Potential for position manipulation during market stress
Undermined pause protection for rewards and voting
Reduced effectiveness of emergency controls
Possible gaming of reward/voting mechanisms

Tools Used:

Manual code review

Recommendations:

Add pause protection to staking functions.
Add emergency withdrawal function.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BaseGauge::withdraw, stake, and checkpoint functions lack whenNotPaused modifier, allowing critical state changes even during emergency pause

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BaseGauge::withdraw, stake, and checkpoint functions lack whenNotPaused modifier, allowing critical state changes even during emergency pause

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.