Pauser role can pause the contracts and since its not the owner is can cause users not to be able to close their positions
Summary
Since the pauser role is not mentioned in the readme its likey it can't be trusted so it can cause all contracts/deposit/withdraw/close to the be stuck for users
Vulnerability Detail
Pause role has too much control over public functions
like openTake, CloseTake, CloseMake,depositTo,withdrawTo
steps:
Bob(victim) makes 10 eth short position
the price starts to rise exponentially causing Bob to get hit with a huge funding rate against him
Bob tries to call closeTake
Alice(pauser) frontrunns Bob and pauses the contract
Bob tx reverts and he is not able to close his position
Impact
Bob incurs a loss from not trusted actor
Code Snippet
Just one of the functions but an important step for this attack
function closeTakeFor(address account, UFixed18 amount)
public
nonReentrant
notPaused
Tool used
Manual Review
Recommendation
Make pauser more trusted/have an emergency function to withdraw/close position
simon135
high
Pauser role can pause the contracts and since its not the owner is can cause users not to be able to close their positions
Summary
Since the pauser role is not mentioned in the readme its likey it can't be trusted so it can cause all contracts/deposit/withdraw/close to the be stuck for users
Vulnerability Detail
Pause role has too much control over public functions like openTake, CloseTake, CloseMake,depositTo,withdrawTo steps:
Impact
Bob incurs a loss from not trusted actor
Code Snippet
Just one of the functions but an important step for this attack
Tool used
Manual Review
Recommendation
Make pauser more trusted/have an emergency function to withdraw/close position