Skip to content

Pause and unpause functions are inaccessible #212

New issue
New issue
Open
Open
Pause and unpause functions are inaccessible#212
Labels
2 (Med Risk)Assets not at direct risk, but function/availability of the protocol could be impacted or leak value🤖_23_groupAI based duplicate group recommendationM-13bugSomething isn't workingdowngraded by judgeJudge downgraded the risk level of this issueprimary issueHighest quality submission among a set of duplicatessatisfactorysatisfies C4 submission criteria; eligible for awardsselected for reportThis submission will be included/highlighted in the audit reportsponsor confirmedSponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")sufficient quality reportThis report is of sufficient quality
@howlbot-integration

Description

@howlbot-integration
howlbot-integration
bot
opened on Aug 9, 2024

Lines of code

https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/TraitForgeNft/TraitForgeNft.sol#L19
https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/NukeFund/NukeFund.sol#L11
https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/EntropyGenerator/EntropyGenerator.sol#L9
https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/EntityTrading/EntityTrading.sol#L11
https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/DevFund/DevFund.sol#L9
https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/EntityForging/EntityForging.sol#L10

Vulnerability details

Impact

All in-scope contracts of TraitForge inherit from the Pausable contract of OpenZeppelin, a feature designed to allow the pausing and unpausing of contract functionalities in emergency situations or for maintenance. However, (parent) contracts do not expose the _pause() and _unpause() functions and the Pausable contract contains only internal pausing/unpausing functions. As a result, despite inheriting the pausability feature, administrators are unable to utilize these critical controls to pause or resume the contract's operations when needed, potentially leading to issues during periods requiring immediate intervention.

Proof of Concept

Pause and unpause functions of the Pausable contract;

    function _pause() internal virtual whenNotPaused {
        _paused = true;
        emit Paused(_msgSender());
    }

    function _unpause() internal virtual whenPaused {
        _paused = false;
        emit Unpaused(_msgSender());
    }

All in-scope contracts inherit Pausable but do not expose it. An example is EntityTrading.sol, which explicitly tries to use the pausing functionality, as can be seen with the whenNotPaused modifier used in several functions.

Tools Used

Foundry

Recommended Mitigation Steps

To leverage the full capabilities of the Pausable inheritance and enhance the contract's operational security and flexibility, it is recommended to expose the pause and unpause functions in the parent contracts. These should be accessible by the contract owner or other authorized roles, ensuring they can respond effectively to operational needs or emergencies:

    /**
     * @dev Pauses all functions affected by `whenNotPaused`.
     */
    function pause() public onlyOwner {
        _pause();
    }

    /**
     * @dev Unpauses all functions affected by `whenNotPaused`.
     */
    function unpause() public onlyOwner {
        _unpause();
    }

Assessed type

Library

Metadata

Metadata

Assignees

No one assigned

    Labels

    2 (Med Risk)Assets not at direct risk, but function/availability of the protocol could be impacted or leak value🤖_23_groupAI based duplicate group recommendationM-13bugSomething isn't workingdowngraded by judgeJudge downgraded the risk level of this issueprimary issueHighest quality submission among a set of duplicatessatisfactorysatisfies C4 submission criteria; eligible for awardsselected for reportThis submission will be included/highlighted in the audit reportsponsor confirmedSponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")sufficient quality reportThis report is of sufficient quality

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions