Closed c4-bot-8 closed 3 weeks ago
Pausing a protocol is an emergency mechanism, which will most often be used to prevent harm to users due to bugs. Pausing claims seems completely reasonable to me, if allowing them to continue would lead to loss to other users. Pause the protocol, apply the fix, unpause the protocol.
Claim in expected to be pausable if in case there is any exploit the n protocol can pause the claims along with deposit and withdraw.
alcueca marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/Renzo-Protocol/Contracts/blob/7dabe5478ec6dbf084135737bb0d88960e80b63e/contracts/Withdraw/WithdrawQueue.sol#L271
Vulnerability details
The fix introduced for M-02 added a
whenNotPaused
modifier to both thewithdraw
andclaim
functions.While pausing the
withdraw
function is an important security feature, havingclaim
calls to be pausable, can harm users who initiated a withdraw and were expecting funds to be available at a certain point in time.Impact
Calls to
claim
can be retroactively, unfairly blocked for users.Proof of Concept
WithdrawQueue.pause()
claim()
Tools Used
Code review
Recommended Mitigation Steps
Consider applying
whenNotPaused
towithdraw
calls only, and leavingclaim
calls not pausable.Assessed type
Governance