search

sherlock-audit / 2024-02-tapioca-judging

2 stars 2 forks source link

bin2chen - Multiple contracts cannot be paused #64

Open sherlock-admin4 opened 7 months ago

sherlock-admin4 commented 7 months ago

bin2chen

medium

Multiple contracts cannot be paused

Summary

For safety, tapioca has added whenNotPaused restrictions to multiple contracts But there is no method provided to modify the _paused state If a security event occurs, it cannot be paused at all

Vulnerability Detail

Take mTOFT.sol as an example, multiple methods are whenNotPaused

    function executeModule(ITOFT.Module _module, bytes memory _data, bool _forwardRevert)
        external
        payable
@>      whenNotPaused
        returns (bytes memory returnData)
    {
...
    function sendPacket(LZSendParam calldata _lzSendParam, bytes calldata _composeMsg)
        public
        payable
@>      whenNotPaused
        returns (MessagingReceipt memory msgReceipt, OFTReceipt memory oftReceipt)
    {

But the contract does not provide a public method to modify _paused Note: Pausable.sol does not have a public method to modify _paused

In reality, there have been multiple reports of security incidents where the protocol side wants to pause to prevent losses, but cannot pause, strongly recommend adding

Note: The following contracts cannot be paused

Impact

Due to the inability to modify _paused, it poses a security risk

Code Snippet

https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/mTOFT.sol#L50

Tool used

Manual Review

Recommendation

+    function pause() external onlyOwner{
+        _pause();
+    }

+    function unpause() external onlyOwner{
+        _unpause();
+    }
sherlock-admin2 commented 6 months ago

1 comment(s) were left on this issue during the judging contest.

WangAudit commented:

refer to 24

sherlock-admin4 commented 6 months ago

The protocol team fixed this issue in PR/commit https://github.com/Tapioca-DAO/TapiocaZ/commit/5cf2563fdd12787f5414690ede10681af6630eb8.