Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lack of Pause Mechanism #61

Open
code423n4 opened this issue Oct 14, 2021 · 2 comments
Open

Lack of Pause Mechanism #61

code423n4 opened this issue Oct 14, 2021 · 2 comments
Labels
0 (Non-critical) Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation bug Warden finding sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

Handle

leastwood

Vulnerability details

Impact

Due to the sensitive nature of PoolTogether's smart contract suite via dealing with user's deposits, withdrawals and prize distribution calculations, it may prove useful to introduce a pause mechanism to enable the admin role to quickly mitigate any issues in the protocol should they arise.

Proof of Concept

https://github.com/pooltogether/v4-core/tree/master/contracts

Tools Used

Manual code review

Recommended Mitigation Steps

Consider adding a pause mechanism such that all sensitive functions are pauseable by the admin role. Additionally, it might be helpful to allow the admin role to completely remove the pause mechanism down the line after PoolTogether has had significant uptime with no disclosed vulnerabilities.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Warden finding labels Oct 14, 2021
code423n4 added a commit that referenced this issue Oct 14, 2021
@code423n4
leastwood issue #61
3ca18fa
@aodhgan aodhgan added sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons and removed sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons labels Oct 14, 2021
@asselstine asselstine added TODO sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons and removed TODO labels Oct 14, 2021
@asselstine
Copy link
Collaborator

The PrizePool has proven to be solid, so we're confident not having a pause.

@GalloDaSballo
Copy link
Collaborator

The sponsor acknowledges the finding and claims that they're confident without a pause functionality
Since the finding doesn't specify any potential attack vector, and most likely takes inspiration from design's similar to yearns and other vault architecture, am changing the severity to Non-Critical as the suggestion is a best-practice / good advice

@GalloDaSballo GalloDaSballo added 0 (Non-critical) Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Oct 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0 (Non-critical) Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation bug Warden finding sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@asselstine @GalloDaSballo @aodhgan @code423n4