Skip to content

Latest commit

 

History

History
42 lines (22 loc) · 1.76 KB

File metadata and controls

42 lines (22 loc) · 1.76 KB

Shaggy Pineapple Nuthatch

Medium

Users will be able to IncreaseVouch even when ethosVouch is paused

Summary

EthosVouch contract implements pausable functionality which according to sponsors would pause when there's a risk of funds being lost due to compromise. During that event all of the core functionalities like vouchByAddress , vouchByProfile ,unvouch , increaseVouch etc MUST BE PAUSED however the critical method increaseVouch is missing whenNotPaused modifer making it available for users to call and potentially engage with protocol through monetory transactions by increasing vouch when in-fact this action MUST NOT be allowed when the contract is paused.

This NOT a user error rather a security flaw in the implementation because if it was to be a user error , the whenNotPaused modifier should not be present on other functions too assuming the users are "intelligent enough" to monitor on-chain conditions all the time.

Root Cause

Missing whenNotPaused modifier in ethosVouch.sol line #426 https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/57c02df7c56f0b18c681a89ebccc28c86c72d8d8/ethos/packages/contracts/contracts/EthosVouch.sol#L426

Internal pre-conditions

  1. Vouch must exist
  2. Contract must be paused

External pre-conditions

  1. User wants to increase Vouch for already existing one

Attack Path

  1. User initiates some amount of ETH increase in Vouch

Impact

The users might be interacting with the protocol at vulnerable condition ( for example a critical bug of funds loss is discovered ) and user will put their more funds into the protocol which will be endangered.

PoC

The issue is evident from the detailed description above.

Mitigation

Add whenNotPaused modifier on increaseVouch function too.