By having an emergency mechanism, the system ensures users' funds are safe and accessible regardless of external dependencies in case 0x stops working as intended so LRTs are not locked in the contract.
This is critical in scenarios where users need quick access to their assets due to unforeseen circumstances.
the setEmergencyMode function should Sets the emergencyMode flag to true and emits the EmergencyModeActivated event.
the EmergencyModeActivated event should contain Logs the address of the activator and the timestamp when emergency mode was activated.
We should alert users through front-end interfaces that listen for this event, allowing them to take necessary actions.
Lines of code
https://github.com/LoopFi/loop-prelaunch-contracts/blob/c8b13474aa4f319eec368fc4827bf51eddad080f/src/PrelaunchPoints.sol#L384
Vulnerability details
Description
By having an emergency mechanism, the system ensures users' funds are safe and accessible regardless of external dependencies in case 0x stops working as intended so LRTs are not locked in the contract. This is critical in scenarios where users need quick access to their assets due to unforeseen circumstances.
Proof of Concept
https://github.com/LoopFi/loop-prelaunch-contracts/blob/c8b13474aa4f319eec368fc4827bf51eddad080f/src/PrelaunchPoints.sol#L384C5-L386C6
Impact
onlyAdmin functions that change critical contract parameters/addresses/state should emit an event and consider adding time locks so that users can detect upcoming changes through front-end interfaces that listen for this event, allowing them to take necessary actions. See similar Medium-severity finding in ConsenSys's Audit of 1inch Liquidity Protocol (https://consensys.net/diligence/audits/2020/12/1inch-liquidity-protocol/#unpredictable-behavior-for-users-due-to-admin-front-running-or-general-bad-timing).
Tools Used
Manual review.
Recommended Mitigation Steps
the
setEmergencyMode
function should Sets theemergencyMode
flag to true and emits theEmergencyModeActivated
event. theEmergencyModeActivated
event should contain Logs the address of the activator and the timestamp when emergency mode was activated. We should alert users through front-end interfaces that listen for this event, allowing them to take necessary actions.