c4-bot-8 commented 4 weeks ago

Lines of code

https://github.com/Renzo-Protocol/Contracts/blob/7dabe5478ec6dbf084135737bb0d88960e80b63e/contracts/Withdraw/WithdrawQueue.sol#L271

Vulnerability details

The fix introduced for M-02 added a whenNotPaused modifier to both the withdraw and claim functions.

While pausing the withdraw function is an important security feature, having claim calls to be pausable, can harm users who initiated a withdraw and were expecting funds to be available at a certain point in time.

Impact

Calls to claim can be retroactively, unfairly blocked for users.

Proof of Concept

Have a user initiate a withdraw
Have an admin call WithdrawQueue.pause()
The user can't call claim()

Tools Used

Code review

Recommended Mitigation Steps

Consider applying whenNotPaused to withdraw calls only, and leaving claim calls not pausable.

Assessed type

Governance

alcueca commented 4 weeks ago

Pausing a protocol is an emergency mechanism, which will most often be used to prevent harm to users due to bugs. Pausing claims seems completely reasonable to me, if allowing them to continue would lead to loss to other users. Pause the protocol, apply the fix, unpause the protocol.

jatinj615 commented 3 weeks ago

Claim in expected to be pausable if in case there is any exploit the n protocol can pause the claims along with deposit and withdraw.

c4-judge commented 3 weeks ago

alcueca marked the issue as unsatisfactory: Invalid

code-423n4 / 2024-06-renzo-mitigation-findings

[M-02] mitigation error: `WithdrawQueue.claim()` should not be pausable #36