search

code-423n4 / 2024-03-abracadabra-money-findings

9 stars 7 forks source link

Staking and locking still possible even if contract is paused #61

Open c4-bot-10 opened 8 months ago

c4-bot-10 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-03-abracadabra-money/blob/1f4693fdbf33e9ad28132643e2d6f7635834c6c6/src/staking/LockingMultiRewards.sol#L349

Vulnerability details

Impact

The stake() and lock() functions have a modifier whenNotPaused restricting use when the contract is paused. However, the privileged stakeFor() function allows operators to deposit and lock funds (for themselves or others) regardless of the pause state.

Proof of Concept

stakeFor() is missing the whenNotPaused modifier.

Tools Used

Manual Analysis

Recommended Mitigation Steps

Add the missing modifier to the function so that deposit are blocked when contract is paused.

Assessed type

Other

c4-pre-sort commented 7 months ago

141345 marked the issue as duplicate of #18

c4-judge commented 7 months ago

thereksfour changed the severity to QA (Quality Assurance)

c4-judge commented 7 months ago

thereksfour marked the issue as grade-b