search

sherlock-audit / 2023-03-taurus-judging

4 stars 0 forks source link

peanuts - User cannot exit paused vaults #185

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

peanuts

medium

User cannot exit paused vaults

Summary

User cannot exit paused vaults.

Vulnerability Detail

Documentation states: 

Pause vaults. Users can exit paused vaults, but otherwise no significant action should be possible on them.

but user cannot withdraw their collateral when vault is paused.

    it("cannot modify position if the vault is paused", async () => {
      await expect(gmxVault.modifyPosition(PRECISION, PRECISION, true, false)).to.be.revertedWith("Pausable: paused");
    });

Since the protocol has one function, modifyPosition(), to handle both debt loans and repayment, and collateral deposits and withdrawal, the modifier whenNotPaused will impact all actions related to collateral and debt changes.

    function modifyPosition(
        uint256 _collateralDelta,
        uint256 _debtDelta,
        bool _increaseCollateral,
        bool _increaseDebt
    ) external whenNotPaused updateReward(msg.sender) {
        _modifyPosition(msg.sender, _collateralDelta, _debtDelta, _increaseCollateral, _increaseDebt);
    }

Impact

User cannot exit paused vaults.

Code Snippet

https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/Vault/BaseVault.sol#L212-L219

Tool used

Manual Review

Recommendation

Consider splitting the debt and collateral change functions so that whenNotPaused can only affect debt repayment and loan.

Sierraescape commented 1 year ago

Users can exit their positions by calling emergencyClosePosition when the vault is paused.