search

code-423n4 / 2022-04-badger-citadel-findings

0 stars 1 forks source link

Function claim() in StakedCitadelVester.sol not protected when protocol in pause mode #172

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/StakedCitadelVester.sol#L85-L97

Vulnerability details

Impact

While other major functions of the protocol are protected by either whenNotPaused, or gacPausable() during Pause mode, this function claim() is not checked for. The impact of this is that during pause mode, users can get their claim and transfer out tokens. This may not be the desirable behaviour expected by the protocol.

Proof of Concept

Contract Name : StakedCitadelVester.sol Function claim(address recipient, uint256 amount)

Recommended Mitigation Steps

Add a modifier to this function.

claim(address recipient, uint256 amount) external gacPausable {
GalloDaSballo commented 2 years ago

My first reaction is that it's desirable for people to be able to claim as they won't be able to withdraw after the pause but they can still claim tokens that were already vested

That said I feel @dapp-whisperer should weigh in

jack-the-pug commented 2 years ago

Due to a lack of proof on the harmful impact, will downgrade to QA