zzykxx - `challengeTransaction()` should be callable when the protocol is paused

[sherlock-admin]

zzykxx

medium

challengeTransaction() should be callable when the protocol is paused

Summary

The function challengeTransaction() in TelcoinDistributor.sol should be callable when the protocol is paused.

Vulnerability Detail

The pause functionality in TelcoinDistributor.sol is used during emergencies. During an emergency it should be possible for council members to call the function challengeTransaction() to reject the execution of malicious proposed transactions.

Let's suppose TelcoinDistributor.sol has to be paused, the owner calls the pause() function. It's possible that, either accidentally or purposefully, a new malicious transaction is proposed via proposeTransaction() that gets executed right before the contract is paused. In this state there is a timeframe where the new proposed transaction should be challenged but it's not possible to do so.

If the contract stays paused for more than challengePeriod as soon as the contract is unpaused the malicious transaction can be executed via executeTransaction().

Impact

Funds might be stolen by a council member and/or further measures are required to prevent the execution of the malicious transaction (ex. remove the malicious council member and hope the others won't execute the function).

Code Snippet

• challengeTransaction()

Tool used

Manual Review

Recommendation

Remove the whenNotPaused modifier from challengeTransaction().

Duplicate of #24

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid because { This is invalid due to the reason mentioned in issue 024}