c4-bot-5 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L161-L163

Vulnerability details

Impact

The pause feature as implemented can be abused to lock user funds indefinitely or divert control flows during an attack.

Proof of Concept

This could lead to loss of funds and protocol insolvency. Because the restricted role granted the unilateral power for emergency pauses has no time limitations or decentralization protections.

The pause() function can be called by any account with the restricted role: PrincipalToken.sol#pause

function pause() external override restricted {
  _pause(); 
}

There are no checks on the pause duration or review process. An attacker with the restricted role could:

Pause the protocol to prevent withdraws
Manipulate control flow or drain funds due to the live nature of smart contracts
Refuse to unpause the protocol essentially denying user funds

Tools Used

Manual review

Recommended Mitigation Steps

Implement a timelock with reasonable max pause window
Require multi-sig and timed process to unpause
Create a "Pause Guardian" role with sole ability to unpause

The current unchecked, unilateral access represents a central point of failure. Decentralizing the process would significantly improve the security guarantees and prevent sustained denial-of-service attacks.

Assessed type

Governance

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as insufficient quality report

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as primary issue

c4-judge commented 8 months ago

JustDravee marked the issue as unsatisfactory: Invalid

code-423n4 / 2024-02-spectra-findings

Pause feature misuse can lock funds, disrupt control flows. #167