Flash loan can be called on Router even in paused state

[hats-bug-reporter[bot]]

Github username: @rilwan99 Twitter username: -- Submission hash (on-chain): 0x371b5e930fc45b307e7ba3f3cf987136a99f803c9df0fc9b9cd4503e7737179e Severity: high

Description: Description\ The Router.sol contract inherits fromPausableUpgradeable.sol, allowing it to be placed in a paused state via the pause() function by a user with the appropriate access control. The whenNotPaused modifier is used to ensure that calls to the router are reverted if it is in a paused state. However, the onFlashLoan() function lacks this modifier. This means that even if the Router is paused, users can still initiate flash loans. Thiscould lead to potential exploits where malicious users might compromise the router while it is paused.

Attack Scenario\ Describe how the vulnerability can be exploited.

Attachments

1. Proof of Concept (PoC) File

2. Revised Code File (Optional) Include a whenNotPaused modifier in the function onFlashLoan()

[yanisepfl]

Hello,

We classified this issue as Invalid because in this case flashloanLender can only be PTs, so onFlashLoan() can only be called by PTs which can also be paused, thus making this not exploitable.

Thanks