PausableImpl lacks some sanity checks, including 1) zero address check for owner, 2) checking state of $paused for function setPaused().
Vulnerability Detail
PausableImpl is an abstract contract that allows the owner to pause/unpause a contract and add the modifier pausable to a function so that the function can be called only when the contract is not paused.
However, there are two issues for the current implementation:
The __initPausable() lacks the zero address check for owner_. If zero address is entered for owner_ by mistake or on purpose, the ownership will be lost forever. Costing redeployment might be necessary.
The setPaused() performs a blind overwritting to the state of $paused before checking the previous state, and emit unnecessary SetPaused(paused_) event when the new state of $paused is the same as the old one.
function setPaused(bool paused_) public virtual onlyOwner {
$paused = paused_;
emit SetPaused(paused_);
}
A check is needed to avoid making unnecessary state change and redundant event emitting.
Impact
If zero address is entered for owner, the contract will lost ownership forever and a redeployment is necessary. The unnecessary SetPaused(paused_) event might unnecessarily trigger some applications that depend on the state of $paused such as trading strategies.
Code Snippet
See above
Tool used
Remix
Manual Review
Recommendation
Add a zero address check for the input owner.
setPaused() is revised as follows:
function setPaused(bool paused_) public virtual onlyOwner {
+ if($pause == paused_) pausedStateNoChange();
$paused = paused_;
emit SetPaused(paused_);
}
chaduke
medium
PausableImpl() lacks some sanity checks
Summary
PausableImpl lacks some sanity checks, including 1) zero address check for
owner
, 2) checking state of$paused
for functionsetPaused()
.Vulnerability Detail
PausableImpl
is an abstract contract that allows the owner to pause/unpause a contract and add the modifierpausable
to a function so that the function can be called only when the contract is not paused.https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-utils/src/PausableImpl.sol#L9-L62
However, there are two issues for the current implementation:
__initPausable()
lacks the zero address check forowner_
. If zero address is entered forowner_
by mistake or on purpose, the ownership will be lost forever. Costing redeployment might be necessary.setPaused()
performs a blind overwritting to the state of$paused
before checking the previous state, and emit unnecessarySetPaused(paused_)
event when the new state of$paused
is the same as the old one.A check is needed to avoid making unnecessary state change and redundant event emitting.
Impact
If zero address is entered for
owner
, the contract will lost ownership forever and a redeployment is necessary. The unnecessarySetPaused(paused_)
event might unnecessarily trigger some applications that depend on the state of$paused
such as trading strategies.Code Snippet
See above
Tool used
Remix
Manual Review
Recommendation
Add a zero address check for the input
owner
.setPaused()
is revised as follows: