search

sherlock-audit / 2024-08-sentiment-v2-judging

5 stars 5 forks source link

h2134 - None of the functions in SuperPool checks pause state #270

Open sherlock-admin4 opened 3 months ago

sherlock-admin4 commented 3 months ago

h2134

Medium

None of the functions in SuperPool checks pause state

Summary

None of the functions in SuperPool checks pause state.

Vulnerability Detail

SuperPool contract is Pausable. SuperPool.sol#L25:

contract SuperPool is Ownable, Pausable, ReentrancyGuard, ERC20 {

togglePause() is implemented to toggle pause state of the SuperPool. SuperPool.sol#L163-L167:

    /// @notice Toggle pause state of the SuperPool
    function togglePause() external onlyOwner {
        if (Pausable.paused()) Pausable._unpause();
        else Pausable._pause();
    }

However, none of the functions in SuperPool checks the pause state, renders the pause functionality meaningless. As confirmed with sponsor, pause state checking should be implemented on some functions.

Impact

None of the functions in SuperPool can be paused.

Code Snippet

https://github.com/sherlock-audit/2024-08-sentiment-v2/blob/main/protocol-v2/src/SuperPool.sol#L25

Tool used

Manual Review

Recommendation

It is recommend to implemented pause state checking on some of the functions, for example, and deposit() and mint() functions: SuperPool.sol#L258:

-    function deposit(uint256 assets, address receiver) public nonReentrant returns (uint256 shares) {
+    function deposit(uint256 assets, address receiver) public whenNotPaused nonReentrant returns (uint256 shares) {

SuperPool.sol#L269:

-    function mint(uint256 shares, address receiver) public nonReentrant returns (uint256 assets) {
+    function mint(uint256 shares, address receiver) public whenNotPaused nonReentrant returns (uint256 assets) {
sherlock-admin2 commented 1 month ago

The protocol team fixed this issue in the following PRs/commits: https://github.com/sentimentxyz/protocol-v2/pull/305