search

code-423n4 / 2024-03-abracadabra-money-findings

9 stars 7 forks source link

MissingwhenNotpaused modifer #198

Closed c4-bot-7 closed 7 months ago

c4-bot-7 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-03-abracadabra-money/blob/1f4693fdbf33e9ad28132643e2d6f7635834c6c6/src/blast/BlastOnboarding.sol#L164

Vulnerability details

Impact

Misiing whennotpaused modifier in function claimTokenYields , users still claim even protocol is paused

Proof of Concept

function claimTokenYields(address[] memory tokens) external onlyOwner {
    for (uint256 i = 0; i < tokens.length; i++) {
        if (!supportedTokens[tokens[i]]) {
            revert ErrUnsupportedToken();
        }
        if (registry.nativeYieldTokens(tokens[i])) {
            BlastYields.claimAllTokenYields(tokens[i], feeTo);
        }
    }
}

Tools Used

Recommended Mitigation Steps

function claimTokenYields(address[] memory tokens) external Whennotpaused onlyOwner {
    for (uint256 i = 0; i < tokens.length; i++) {
        if (!supportedTokens[tokens[i]]) {
            revert ErrUnsupportedToken();
        }
        if (registry.nativeYieldTokens(tokens[i])) {
            BlastYields.claimAllTokenYields(tokens[i], feeTo);
        }
    }
}

Assessed type

Invalid Validation

0xm3rlin commented 8 months ago

no factor

c4-pre-sort commented 8 months ago

141345 marked the issue as sufficient quality report

141345 commented 8 months ago

pause can claim

seems intended, it is admin func

0xm3rlin commented 8 months ago

disputed

c4-sponsor commented 7 months ago

0xCalibur (sponsor) disputed

c4-judge commented 7 months ago

thereksfour marked the issue as unsatisfactory: Invalid