AfEth.depositRewards should revert when pauseDeposit

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/AfEth.sol#L272-L293

Vulnerability details

Impact

Anyone still can trigger staking when contract is depositing is paused

Proof of Concept

In case if depositing is paused, then user can't provide funds to the contract.

But AfEth.depositRewards function still can be called to provide funds to the strategy, even that caller will loose his funds.

Tools Used

VsCode

Recommended Mitigation Steps

Do not allow to call AfEth.depositRewards when depositing is paused.

Assessed type

Error

[elmutt]

https://github.com/asymmetryfinance/afeth/pull/156

[c4-judge]

0xleastwood marked the issue as primary issue

[c4-judge]

0xleastwood marked the issue as satisfactory

[c4-judge]

0xleastwood removed the grade

[c4-judge]

0xleastwood marked the issue as selected for report

[c4-sponsor]

elmutt (sponsor) confirmed

[d3e4]

How is this an issue? If the protocol stops new deposits, then those who are already in should still receive their rewards, otherwise it is they who lose what they are due. Those wanting to deposit are not owed anything. So depositRewards() should not revert when deposit is paused.

[0xleastwood]

How is this an issue? If the protocol stops new deposits, then those who are already in should still receive their rewards, otherwise it is they who lose what they are due. Those wanting to deposit are not owed anything. So depositRewards() should not revert when deposit is paused.

Correct, I agree, I misunderstood this as depositing in the protocol generally. This is not the case. I don't even think this issue should be fixed.

[c4-judge]

0xleastwood marked the issue as not selected for report

[c4-judge]

0xleastwood changed the severity to QA (Quality Assurance)