Skip to content

Latest commit

 

History

History
43 lines (24 loc) · 1.4 KB

File metadata and controls

43 lines (24 loc) · 1.4 KB

Furry Hickory Gazelle

Medium

Missing Pausable Modifier Allows Unauthorized Fund Transfers to Locked Ethos Contract

Summary

The increaseVouch function in the Ethos contract allows users to add funds (vouchers) to a specified profile. While the contract implements a mechanism to lock activities using a pausable state, this specific function does not include a check for whether the contract is paused. Consequently, users can bypass the lock mechanism and continue interacting with the contract even when it is explicitly paused for maintenance or to prevent malicious activity.

This omission undermines the intended purpose of the pausable mechanism, which is to halt all activity during critical periods, such as upgrades, emergency scenarios, or vulnerability patching.

Root Cause

No response

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

Users can send funds into the contract despite it being in a paused state, potentially exposing those funds to risks during a critical event (e.g., an exploit or protocol freeze).

PoC

No response

Mitigation

function increaseVouch(uint256 vouchId) public payable nonReentrant whenNotPaused {
    // Function logic remains the same
}