Open code423n4 opened 1 year ago
Picodes marked the issue as primary issue
Picodes changed the severity to 2 (Med Risk)
Thanks! We will fix this.
manoj9april marked the issue as sponsor confirmed
Picodes marked the issue as selected for report
This is fixed.
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/SocializingPool.sol#L21 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L14 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L17 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/OperatorRewardsCollector.sol#L16
Vulnerability details
Impact
The following contracts :
SocializingPool
,StaderOracle
,OperatorRewardsCollector
andAuction
are supposed to be pausable (as they all inherit fromPausableUpgradeable
) but they don't implement the externalpause/unpause
functionalities which means it will never be possible to pause them.Proof of Concept
All the following contracts
SocializingPool
,StaderOracle
,OperatorRewardsCollector
andAuction
inherit from the openzeppelinPausableUpgradeable
extension which means that they contain internal functions_pause
and_unpause
.Because those function are internal, the contract must implement two other public/external
pause
andunpause
functions to allow the manager to pause and unpause the contracts when necessary, but none of the aforementioned contracts implement those functions which means that even if those contracts are supposed to be pausable (have thepause/unpause
functionalities) none of them can be paused.Tools Used
Manual review
Recommended Mitigation Steps
Add public/external
pause
andunpause
functions in the aforementioned contracts to allow them to be pausable, this can be done just as in theUserWithdrawalManager
contract for example :Assessed type
Other