Core Contracts

Summary

The veRAACToken contract defines a public boolean variable paused and applies the whenNotPaused modifier to several functions to restrict operations when the contract is paused. However, there are no external functions provided to modify the paused state. This prevents the contract owner or any authorized party from pausing or unpausing the contract, rendering the emergency control mechanism ineffective.

Vulnerability Details

• Missing Control Functions:
  The contract declares:

  bool public paused;

  and uses a modifier:

  modifier whenNotPaused() {

  if (paused) revert ContractPaused();

  _;

  }

  However, the contract does not include any external or owner-restricted functions (such as pause() or unpause()) to change the value of paused. This means that once deployed, the contract's operational state (paused or unpaused) cannot be changed dynamically by an authorized party.

Impact

• Inability to Halt Operations:
  In the event of an emergency or an exploit, the contract owner will be unable to pause operations, potentially allowing an attacker to continue exploiting the contract's functionality.

• Reduced Protocol Security:
  The lack of pause/unpause functionality eliminates an important administrative control tool designed to protect user funds and protocol integrity during unforeseen events.

• Operational Risks:
  Since the emergency control mechanism is not operational, vulnerabilities or external threats may lead to prolonged exposure and increased risk to users and the protocol.

Tools Used

• Manual code review

Recommended Mitigation

• Implement Pause/Unpause Functions:
  Introduce external functions to allow the contract owner (or an authorized role) to set the paused state. For example:

  function pause() external onlyOwner {

  paused = true;

  emit Paused(msg.sender);

  }

  ​

  function unpause() external onlyOwner {

  paused = false;

  emit Unpaused(msg.sender);

  }