Open code423n4 opened 2 years ago
Generally agree that a governance function to pause withdraws is a good idea. But this would be entirely on the Cosmos side, on the Solidity side having more state for pause/unpause seems to act as a larger attack surface more than a help.
I'd say this is a design decision and not a bug.
reopening as per judges assessment as "primary issue" on findings sheet
Handle
tensors
Vulnerability details
In case a hack is occuring or an exploit is discovered, the team (or validators in this case) should be able to pause functionality until the necessary changes are made to the system. Additionally, the gravity.sol contract should be manged by proxy so that upgrades can be made by the validators.
Because an attack would probably span a number of blocks, a method for pausing the contract would be able to interrupt any such attack if discovered.
To use a thorchain example again, the team behind thorchain noticed an attack was going to occur well before the system transferred funds to the hacker. However, they were not able to shut the system down fast enough. (According to the incidence report here: https://github.com/HalbornSecurity/PublicReports/blob/master/Incident%20Reports/Thorchain_Incident_Analysis_July_23_2021.pdf)
Pause functionality on the contract would have helped secure the funds quickly.