Closed c4-bot-4 closed 5 months ago
0xSorryNotSorry marked the issue as sufficient quality report
0xSorryNotSorry marked the issue as primary issue
Only functions that allow to get 'in' the system should be pausable by GUARDIAN role, functions that allow to get 'out' of the protocol shouldn't, so that no users can be locked in by the team's multisig or anyone else with the GUARDIAN role. This is why redeem is not pausable.
eswak (sponsor) disputed
Trumpero marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/SimplePSM.sol#L134-L144
Vulnerability details
Impact
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/SimplePSM.sol#L134-L144
In
SimplePSM.sol
the functions mint and mintAndEnterRebase functions consists of whenNotPaused modifier while the redeem function doesn't. Functions with mint, burn or safeTransfer should consist the whenNotPaused as it makes changes to the credit token supply.Proof of Concept
Function with mint and function which consists of safeTransferFrom contains whenNotPaused modifier but not the redeem function.
But not the redeem function :
Tools Used
VS Code
Recommended Mitigation Steps
Add the whenNotPaused modifier to the redeem function.
Assessed type
Other