Mahi_Vasisth - `paused` Function Of `StandardBridge` Always Returns False, Ignoring Bridge Pause State

[sherlock-admin3]

Mahi_Vasisth

Medium

paused Function Of StandardBridge Always Returns False, Ignoring Bridge Pause State

Summary

The paused function in the contract is supposed to return true or false based on whether the bridge is paused or not. However, it is currently hardcoded to always return false, meaning it indicates the contract is never paused. This flaw can lead to critical functions executing even when the bridge should be paused, potentially leading to the exploitation of the bridge's logic, as certain functions might be invoked during a paused state when they should not be available.

Vulnerability Detail

1. The function is designed to determine whether the contract is paused based on the bridge state, returning true if the bridge is paused and false if it is not.
2. In its current form, the function always returns false, regardless of the actual paused state of the contract or bridge.

   Impact

3. Bypassing Pause Restrictions: Functions that should only execute when the bridge is active (i.e., not paused) will continue to operate, even if the bridge has been paused for maintenance, upgrades, or security concerns.
4. Potential Exploitation: This could allow malicious actors to exploit the contract by calling functions that are vulnerable or inappropriate to run while the bridge is paused. It can also lead to accidental disruptions in bridge operations or loss of funds.

   Code Snippet

   https://github.com/sherlock-audit/2024-08-tokamak-network/blob/main/tokamak-thanos/packages/tokamak/contracts-bedrock/src/universal/StandardBridge.sol#L166-L168

   Tool used

   Manual Review

   Recommendation

   Correct the paused Logic:

5. Modify the paused function to return the actual state of the bridge by checking the correct paused status from the SuperchainConfig on L1.
6. Implement the appropriate logic for L2 to handle the no-op situation.