veRAACToken can't be paused
Summary
The veRAACToken contract includes a paused state variable and a whenNotPaused modifier to restrict certain functions when the contract is paused. However, there is no functionality to actually pause or unpause the contract. As a result, the paused state variable remains unused, and functions protected by the whenNotPaused modifier cannot be paused as intended.
Vulnerability Details
The paused state variable is initialized in the contract, but there are no functions to modify its state (e.g., pause or unpause). This renders the whenNotPaused modifier ineffective, as the paused variable will always remain in its initial state (likely false). Consequently, functions intended to be pausable cannot be paused, undermining the contract's ability to handle emergencies or security incidents.
Impact
The inability to pause the contract has the following implications:
Lack of Emergency Control: In the event of a security issue or critical bug, the contract cannot be paused to prevent further damage.
Functionality Risks: Functions that should be pausable remain operational even when they should be restricted, potentially exposing the contract to exploitation or misuse.
Tools Used
Manual review
Recommendations
To address this issue, implement pause and unpause functions in the veRAACToken contract. These functions should be restricted to authorized roles (e.g., the contract owner or administrator) to ensure proper access control.
For example:
Lead Judging Commences
veRAACToken lacks the ability to configure `paused` variable
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.