Deivitto - Concerns on pause and related to pause functions over the code

[github-actions[bot]]

Deivitto

high

Concerns on pause and related to pause functions over the code

Summary

• Pause operations doesn't include proper timelocks / access control
• Also there are pause operations in both calls for moving assets in and for moving assets (redeem) out, what is not recommended in a trust view

Vulnerability Detail

There is a huge concern in pause as noticed in the audit scope / concerns. Reason why I choose High label

As per said in the documentation:

That said, we retain multiple methods for approvals / withdrawals / fees / pausing gated behind admin methods to ensure the protocol can effectively safeguard user funds during the early operation of the protocol. NOTE: For the most part these methods have delays to give time for users to exit. Further, the admin will always be a multi-sig.

However, no delay is used at these pause operations at:

• Lender

• Redeemer

Neither access control, can be called by anyone:

• Lender

• MarketPlace

Impact

Code Snippet

• Pause without timelock https://github.com/sherlock-audit/2023-01-illuminate/blob/main/src/Lender.sol#L1018-L1037

https://github.com/sherlock-audit/2023-01-illuminate/blob/main/src/Redeemer.sol#L246-L253

• Unsafe access control https://github.com/sherlock-audit/2023-01-illuminate/blob/main/src/mocks/Lender.sol#L46-L52

https://github.com/sherlock-audit/2023-01-illuminate/blob/main/src/mocks/MarketPlace.sol#L88-L95

• Functions related to paused state https://github.com/sherlock-audit/2023-01-illuminate/blob/main/src/Lender.sol#L331-L336 https://github.com/sherlock-audit/2023-01-illuminate/blob/main/src/Redeemer.sol#L268

  Tool used

Manual Review

Recommendation

• Add a timelock on pause operations
• Add access control to pause operations