search

sherlock-audit / 2024-08-cork-protocol-judging

2 stars 2 forks source link

KupiaSec - Incorrect implementation of the modifier `LVDepositNotPaused()` #212

Closed sherlock-admin2 closed 2 months ago

sherlock-admin2 commented 2 months ago

KupiaSec

High

Incorrect implementation of the modifier LVDepositNotPaused()

Summary

The modifier LVDepositNotPaused() is intended to check whether deposits to the liquidity vault are paused; however, it mistakenly verifies if withdrawals are paused instead. Consequently, deposits can still be made even when they should be paused.

Vulnerability Detail

As shown in line 109, the modifier LVDepositNotPaused() checks whether withdrawals are paused instead of verifying if deposits are paused. Consequently, if deposits are paused while withdrawals are not, deposits to the liquidity vault can still occur, as the incorrect modifier LVDepositNotPaused() is being used.

    modifier LVDepositNotPaused(Id id) {
109     if (states[id].vault.config.isWithdrawalPaused) {
            revert LVDepositPaused();
        }
        _;
    }

Impact

Pausing deposits is ineffective, allowing users to continue depositing into the liquidity vault even when deposits are supposed to be paused.

Code Snippet

https://github.com/sherlock-audit/2024-08-cork-protocol/tree/main/Depeg-swap/contracts/core/ModuleState.sol#L108-L113

Tool used

Manual Review

Recommendation

The modifier should be corrected as follows.

    modifier LVDepositNotPaused(Id id) {
-       if (states[id].vault.config.isWithdrawalPaused) {
+       if (states[id].vault.config.isDepositPaused) {
            revert LVDepositPaused();
        }
        _;
    }

Duplicate of #182