asselstine
commented
3 years ago The PrizePool has proven to be solid, so we're confident not having a pause.
Open code423n4 opened 3 years ago
asselstine
commented
3 years ago The PrizePool has proven to be solid, so we're confident not having a pause.
GalloDaSballo
commented
3 years ago The sponsor acknowledges the finding and claims that they're confident without a pause functionality Since the finding doesn't specify any potential attack vector, and most likely takes inspiration from design's similar to yearns and other vault architecture, am changing the severity to Non-Critical as the suggestion is a best-practice / good advice
Handle
leastwood
Vulnerability details
Impact
Due to the sensitive nature of PoolTogether's smart contract suite via dealing with user's deposits, withdrawals and prize distribution calculations, it may prove useful to introduce a pause mechanism to enable the admin role to quickly mitigate any issues in the protocol should they arise.
Proof of Concept
https://github.com/pooltogether/v4-core/tree/master/contracts
Tools Used
Manual code review
Recommended Mitigation Steps
Consider adding a pause mechanism such that all sensitive functions are pauseable by the admin role. Additionally, it might be helpful to allow the admin role to completely remove the pause mechanism down the line after PoolTogether has had significant uptime with no disclosed vulnerabilities.