Missing whenNotPaused modifier for redeem

[c4-bot-4]

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/SimplePSM.sol#L134-L144

Vulnerability details

Impact

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/SimplePSM.sol#L134-L144

In SimplePSM.sol the functions mint and mintAndEnterRebase functions consists of whenNotPaused modifier while the redeem function doesn't. Functions with mint, burn or safeTransfer should consist the whenNotPaused as it makes changes to the credit token supply.

Proof of Concept

Function with mint and function which consists of safeTransferFrom contains whenNotPaused modifier but not the redeem function.

function mint(
        address to,
        uint256 amountIn
    ) external whenNotPaused returns (uint256 amountOut) {

function mintAndEnterRebase(
        uint256 amountIn
    ) external whenNotPaused returns (uint256 amountOut) {

But not the redeem function :

function redeem(
        address to,
        uint256 amountIn
    ) external returns (uint256 amountOut) {

Tools Used

VS Code

Recommended Mitigation Steps

Add the whenNotPaused modifier to the redeem function.

function redeem(
        address to,
        uint256 amountIn
    ) external whenNotPaused returns (uint256 amountOut) {

Assessed type

Other

[c4-pre-sort]

0xSorryNotSorry marked the issue as sufficient quality report

[c4-pre-sort]

0xSorryNotSorry marked the issue as primary issue

[eswak]

Only functions that allow to get 'in' the system should be pausable by GUARDIAN role, functions that allow to get 'out' of the protocol shouldn't, so that no users can be locked in by the team's multisig or anyone else with the GUARDIAN role. This is why redeem is not pausable.

[c4-sponsor]

eswak (sponsor) disputed

[c4-judge]

Trumpero marked the issue as unsatisfactory: Invalid