search

code-423n4 / 2022-06-badger-findings

0 stars 0 forks source link

performUpkeep is not protected by `whenNotPaused` modifier #149

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L391

Vulnerability details

Impact

performUpkeep is not protected by whenNotPaused modifier unlike manualProcessExpiredLocks, which basically do the same thing.

Proof of Concept

https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L391

    function performUpkeep(bytes calldata performData) external {
        // Works like this because it reverts if lock is not expired
        LOCKER.processExpiredLocks(false);
    }

Recommended Mitigation Steps

Add whenNotPaused modifier to performUpkeep

GalloDaSballo commented 2 years ago

Don't believe there's any security vulnerability here, code inconsistency (QA) is totally valid though