search

code-423n4 / 2023-11-kelp-findings

13 stars 11 forks source link

RSETH only pauses mints and burns #726

Closed c4-submissions closed 11 months ago

c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/main/src/RSETH.sol#L60

Vulnerability details

Impact

pause() should Trigger a stopped state according to the docstring of the function, which assumes that the RSETH contract logic should completely be paused. However, the whenNotPaused modifier only applies to minting and burning tokens. So, even in a "paused state", RSETH can still be transferred, approved, etc..

If the pause was initiated due to a critical upgrade/deployment that requires RSETH to be paused or if the RSETH contract was compromised, there could be unpredictable consequences such as fund loss.

Proof of Concept

    /// @dev Triggers stopped state.
    /// @dev Only callable by LRT config manager. Contract must NOT be paused.
    function pause() external onlyLRTManager {
        _pause();
    }

Tools Used

Manual Review.

Recommended Mitigation Steps

Completely pause the RSETH contract state.

Assessed type

Access Control

c4-pre-sort commented 11 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 11 months ago

raymondfam marked the issue as duplicate of #318

c4-judge commented 10 months ago

fatherGoose1 marked the issue as unsatisfactory: Invalid