M-02 MitigationConfirmed

[c4-bot-9]

Lines of code

Vulnerability details

See:

Finding	Mitigation
M-02: Withdrawals and Claims are meant to be pausable, but it is not possible in practice	Pull Request

Navigating to M-02 from the previous contest we can see that there was a problem within the WithdrawQueue on how it inherits from PausableUpgradeable to provide administrators with the ability to pause user withdrawals and claims. However, this functionality was ineffective because the user-accessible withdraw and claim functions do not implement the whenNotPaused modifier, rendering the pause capability inaccessible.

As a result, this would have led to the administrators being unable to prevent users from withdrawing or claiming assets during a pause, which can lead to security and operational issues.

Now to resolve this issue, protocol passed on this pull request which sufficintly mitigates the issue considering the whenNotPaused modifier has now being added to the withdraw and claim functions ensuring that the pausing mechanism works as intended, i.e:

-    function withdraw(uint256 _amount, address _assetOut) external nonReentrant {
+     function withdraw(uint256 _amount, address _assetOut) external nonReentrant whenNotPaused {

...

...

-    function claim(uint256 withdrawRequestIndex) external nonReentrant {

+    function claim(uint256 withdrawRequestIndex) external nonReentrant whenNotPaused {

[c4-judge]

alcueca marked the issue as satisfactory