search

sherlock-audit / 2024-02-tapioca-judging

2 stars 2 forks source link

Tendency - MIssing Admin Setters for `_pause()` and `_unpause()` #24

Closed sherlock-admin3 closed 7 months ago

sherlock-admin3 commented 7 months ago

Tendency

medium

MIssing Admin Setters for _pause() and _unpause()

Summary

The contracts mTOFT, AssetToSGLPLeverageExecutor, and Usdo utilize the whenNotPaused modifier for contract control but fail to implement an owner-only functionality for pausing and unpausing the contracts.

Vulnerability Detail

The following contracts mTOFT, AssetToSGLPLeverageExecutor and Usdo all inherit from OpenZeppelin Pausable contract, and also make use of the whenNotPaused modifier for contract control, but fail to include an owner only functionality for pausing and unpausing the contracts.

The whenNotPaused modifier is used in the following contract functions:

https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/Tapioca-bar/contracts/markets/leverage/AssetToSGLPLeverageExecutor.sol#L75

https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/TapiocaZ/contracts/tOFT/mTOFT.sol#L316

https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/TapiocaZ/contracts/tOFT/mTOFT.sol#L237

https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/TapiocaZ/contracts/tOFT/mTOFT.sol#L290

https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/TapiocaZ/contracts/tOFT/mTOFT.sol#L316 https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/Tapioca-bar/contracts/usdo/Usdo.sol#L155

https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/Tapioca-bar/contracts/usdo/Usdo.sol#L191

https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/Tapioca-bar/contracts/usdo/Usdo.sol#L243

https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/Tapioca-bar/contracts/usdo/Usdo.sol#L255

Impact

In the event of a security incident requiring the pausing of major functionalities, the absence of an admin setter prevents the contracts from being paused, potentially exacerbating the impact of the incident.

Code Snippet

https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/Tapioca-bar/contracts/usdo/Usdo.sol#L45

https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/Tapioca-bar/contracts/markets/leverage/AssetToSGLPLeverageExecutor.sol#L40

https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/TapiocaZ/contracts/tOFT/mTOFT.sol#L50

Tool used

Manual Review

Recommendation

Add an owner-only function for pausing and unpausing the contracts.

Duplicate of #64

maarcweiss commented 7 months ago

Dup of https://github.com/sherlock-audit/2024-02-tapioca-judging/issues/64

sherlock-admin3 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

WangAudit commented:

they inherit from pausable contract which has the pause function; yeah protocols often override them; but in that case I believe they decided not to do that!