Open c4-submissions opened 1 year ago
0xleastwood marked the issue as primary issue
0xleastwood marked the issue as satisfactory
0xleastwood removed the grade
0xleastwood marked the issue as selected for report
elmutt (sponsor) confirmed
How is this an issue? If the protocol stops new deposits, then those who are already in should still receive their rewards, otherwise it is they who lose what they are due. Those wanting to deposit are not owed anything. So depositRewards()
should not revert when deposit is paused.
How is this an issue? If the protocol stops new deposits, then those who are already in should still receive their rewards, otherwise it is they who lose what they are due. Those wanting to deposit are not owed anything. So
depositRewards()
should not revert when deposit is paused.
Correct, I agree, I misunderstood this as depositing in the protocol generally. This is not the case. I don't even think this issue should be fixed.
0xleastwood marked the issue as not selected for report
0xleastwood changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/AfEth.sol#L272-L293
Vulnerability details
Impact
Anyone still can trigger staking when contract is depositing is paused
Proof of Concept
In case if depositing is paused, then user can't provide funds to the contract.
But
AfEth.depositRewards
function still can be called to provide funds to the strategy, even that caller will loose his funds.Tools Used
VsCode
Recommended Mitigation Steps
Do not allow to call AfEth.depositRewards when depositing is paused.
Assessed type
Error