search

code-423n4 / 2023-06-stader-findings

1 stars 1 forks source link

There is still a transfer of eth even when contract is paused, due to missing whenNotPaused modifier #407

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/main/contracts/UserWithdrawalManager.sol#L179

Vulnerability details

Impact

There is still a transfer of eth even when contract is paused, due to missing whenNotPaused modifier

Proof of Concept

when a user calls the external function claim(), it execute the sendValue() which transfer eth away from the contract. However this function claim() doesn't implement the whenNotPaused modifier, therefore would still get executed when the contract is paused.

Tools Used

Visual Studio Code

Recommended Mitigation Steps

Add the whenNotPaused modifier to the claim() function

Assessed type

Access Control

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #242

c4-judge commented 1 year ago

Picodes changed the severity to QA (Quality Assurance)