The restakeGGP() function is essentially performing the same task as stakeGGP() function.
The stakeGGP() function has a modifier whenNotPaused() which ensures the the function is not accessible when the contracts are paused. However restakeGGP() function which is also performing the same task does not implement the whenNotPaused() modifier.
Although it has a modifier onlySpecificRegisteredContract() which allows only specific registered contracts to call it, still restaking can be done even when the contracts are paused. This is not advisable at all as transfer of funds can still take place when the contract is paused.
Recommended Mitigation Steps
Implement whenNotPaused() modifier to the restakeGGP() function
Lines of code
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/Staking.sol#L328
Vulnerability details
The
restakeGGP()
function is essentially performing the same task asstakeGGP()
function.The
stakeGGP()
function has a modifierwhenNotPaused()
which ensures the the function is not accessible when the contracts are paused. HoweverrestakeGGP()
function which is also performing the same task does not implement thewhenNotPaused()
modifier. Although it has a modifieronlySpecificRegisteredContract()
which allows only specific registered contracts to call it, still restaking can be done even when the contracts are paused. This is not advisable at all as transfer of funds can still take place when the contract is paused.Recommended Mitigation Steps
Implement
whenNotPaused()
modifier to therestakeGGP()
function