Tri-pathi - Token can be transferred even in the case of emergency

[sherlock-admin2]

Tri-pathi

medium

Token can be transferred even in the case of emergency

Summary

Lock.sol implements pause/unpause flags to block staking and withdrawals in case of an emergency. However, there are some paths open which can be exploited by an attacker to withdraw tokens even during such situations.

Vulnerability Detail

In the event of an emergency, the Admin can call Lock.pause() to set pause == true. This action is intended to block stake and earlyExitById() operations due to theWhenNotPaused modifier. However,exitLateById() does not have such a modifier, allowing users to withdraw assets by calling exitLate

Why is this an issue?

Emergency Token Outflow : In an emergency, all outflows of tokens should be blocked. However, this is not the case as exitLateById() remains operational

Uniform Risk : Users with very near unlock times have the same risk as users performing an early exit. If users can withdraw assets during an emergency, it poses a problem. Yet, only one method is blocked.

Automatic Restaking: While staking is paused, upon completing the lock period, restaking will happen automatically. This contradicts the purpose of the pause state in staking.

Impact

Withdrawal of assets in case of emergency

Code Snippet

https://github.com/sherlock-audit/2024-05-gamma-staking/blob/main/StakingV2/src/Lock.sol#L349

Tool used

Manual Review

Recommendation

Prevent withdrawal and Restaking of tokens in case of emergency

[santipu03]

The protocol decided to make pausable entry-point functions (stake and restake) and not some of the exit-point functions (exiting late and withdrawals). In case of an emergency, users will be able to withdraw the staked funds but not to stake again or withdraw rewards. Because this is the intended design of the protocol, this issue is low (invalid).