`veRAACToken` Missing Implementation to Pause/Unpause Contract
Summary
The veRAACToken contract lacks the ability to pause or unpause operations in case of an emergency. Unlike other contracts in the protocol that inherit from OpenZeppelin’s Pausable contract, veRAACToken neither inherits from Pausable nor provides a setter function to update the paused state variable.
Vulnerability Details
The contract defines a paused state variable but fails to implement a mechanism to modify its value. As a result, once deployed, the contract remains permanently in an unpaused state. The whenNotPaused modifier is present and correctly reverts transactions if paused is set to true, but without a setter function or an inherited Pausable mechanism, there is no way to change this state.
Impact
In the event of an emergency or a critical bug, the veRAACToken contract cannot be paused, allowing functions guarded by the whenNotPaused modifier to remain callable. This includes critical functions such as lock, increase, extend, and withdraw, which could lead to further exploitation or financial loss if an issue arises.
Tools Used
Manual review.
Recommendations
To ensure consistency with other contracts in the protocol and provide emergency control, the veRAACToken contract should inherit from OpenZeppelin’s Pausable contract and implement functions to toggle the paused state. A setter function with appropriate access control (e.g., onlyOwner or onlyAdmin) should be added to enable authorized users to pause or resume operations when necessary.
Lead Judging Commences
veRAACToken lacks the ability to configure `paused` variable
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.