Shaggy Pineapple Nuthatch
Medium
EthosVouch contract implements pausable functionality which according to sponsors would pause when there's a risk of funds being lost due to compromise
. During that event all of the core functionalities like vouchByAddress , vouchByProfile ,unvouch , increaseVouch etc MUST BE PAUSED however the critical method increaseVouch
is missing whenNotPaused
modifer making it available for users to call and potentially engage with protocol through monetory transactions by increasing vouch when in-fact this action MUST NOT be allowed when the contract is paused.
This NOT a user error rather a security flaw in the implementation because if it was to be a user error , the whenNotPaused
modifier should not be present on other functions too assuming the users are "intelligent enough" to monitor on-chain conditions all the time.
Missing whenNotPaused
modifier in ethosVouch.sol line #426
https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/57c02df7c56f0b18c681a89ebccc28c86c72d8d8/ethos/packages/contracts/contracts/EthosVouch.sol#L426
- Vouch must exist
- Contract must be paused
- User wants to increase Vouch for already existing one
- User initiates some amount of ETH increase in Vouch
The users might be interacting with the protocol at vulnerable condition ( for example a critical bug of funds loss is discovered ) and user will put their more funds into the protocol which will be endangered.
The issue is evident from the detailed description above.
Add whenNotPaused
modifier on increaseVouch
function too.