Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KangarooVault.initiateDeposit, KangarooVault.processDepositQueue, KangarooVault.initiateWithdrawal, and KangarooVault.processWithdrawalQueue functions do not use whenNotPaused modifier #232

Open
code423n4 opened this issue Mar 20, 2023 · 6 comments
Open

KangarooVault.initiateDeposit, KangarooVault.processDepositQueue, KangarooVault.initiateWithdrawal, and KangarooVault.processWithdrawalQueue functions do not use whenNotPaused modifier #232

code423n4 opened this issue Mar 20, 2023 · 6 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) M-03 primary issue Highest quality submission among a set of duplicates selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L19-L21
https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L183
https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L243
https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L215
https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L269
https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L184
https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L200-L205
https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L219
https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L247
https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L264-L269
https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L284

Vulnerability details

Impact

As shown by the code below, although PauseModifier is imported, the KangarooVault contract does not use the whenNotPaused modifier in any of its functions. More specifically, the KangarooVault.initiateDeposit, KangarooVault.processDepositQueue, KangarooVault.initiateWithdrawal, and KangarooVault.processWithdrawalQueue functions do not use the whenNotPaused modifier.

https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L19-L21

import {PauseModifier} from "./utils/PauseModifier.sol";

contract KangarooVault is Auth, ReentrancyGuard, PauseModifier {

https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L183

    function initiateDeposit(address user, uint256 amount) external nonReentrant {

https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L243

    function processDepositQueue(uint256 idCount) external nonReentrant {

https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L215

    function initiateWithdrawal(address user, uint256 tokens) external nonReentrant {

https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L269

    function processWithdrawalQueue(uint256 idCount) external nonReentrant {

This is unlike the LiquidityPool contract; comparing to the KangarooVault.initiateDeposit, KangarooVault.processDepositQueue, KangarooVault.initiateWithdrawal, and KangarooVault.processWithdrawalQueue functions, the LiquidityPool.deposit, LiquidityPool.queueDeposit, LiquidityPool.processDeposits, LiquidityPool.withdraw, LiquidityPool.queueWithdraw, and LiquidityPool.processWithdraws functions have the similar functionalities but they all use the whenNotPaused modifier. As a result, when an emergency, such as a hack, occurs, the protocol can pause the LiquidityPool.withdraw, LiquidityPool.queueWithdraw, and LiquidityPool.processWithdraws functions to prevent or reduce damages, such as preventing users and the protocol from losing funds, but cannot do that for the KangarooVault.initiateDeposit, KangarooVault.processDepositQueue, KangarooVault.initiateWithdrawal, and KangarooVault.processWithdrawalQueue functions.

https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L184

    function deposit(uint256 amount, address user) external override nonReentrant whenNotPaused("POOL_DEPOSIT") {

https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L200-L205

    function queueDeposit(uint256 amount, address user)
        external
        override
        nonReentrant
        whenNotPaused("POOL_QUEUE_DEPOSIT")
    {

https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L219

    function processDeposits(uint256 count) external override nonReentrant whenNotPaused("POOL_PROCESS_DEPOSITS") {

https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L247

    function withdraw(uint256 tokens, address user) external override nonReentrant whenNotPaused("POOL_WITHDRAW") {

https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L264-L269

    function queueWithdraw(uint256 tokens, address user)
        external
        override
        nonReentrant
        whenNotPaused("POOL_QUEUE_WITHDRAW")
    {

https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L284

    function processWithdraws(uint256 count) external override nonReentrant whenNotPaused("POOL_PROCESS_WITHDRAWS") {

Proof of Concept

The following steps can occur for the described scenario.

  1. An emergency, such as a hack, occurs in which further withdrawals can cause users and the protocol to lose funds.
  2. The protocol team is able to pause the LiquidityPool.withdraw, LiquidityPool.queueWithdraw, and LiquidityPool.processWithdraws functions.
  3. However, the protocol team is unable to pause the KangarooVault.initiateWithdrawal and KangarooVault.processWithdrawalQueue functions.
  4. As a result, funds can be lost from the KangarooVault.

Tools Used

VSCode

Recommended Mitigation Steps

The KangarooVault.initiateDeposit, KangarooVault.processDepositQueue, KangarooVault.initiateWithdrawal, and KangarooVault.processWithdrawalQueue functions can be updated to use the whenNotPaused modifier.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 20, 2023
code423n4 added a commit that referenced this issue Mar 20, 2023
@code423n4
rbserver issue #232
ad4821d
@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Mar 22, 2023
@c4-judge
Copy link
Contributor

JustDravee marked the issue as primary issue

This was referenced Mar 22, 2023
Closed
Closed
@JustDravee JustDravee mentioned this issue Mar 25, 2023
Closed
@c4-judge c4-judge mentioned this issue Mar 26, 2023
Closed
@JustDravee JustDravee mentioned this issue Mar 26, 2023
Open
@c4-judge c4-judge mentioned this issue Mar 26, 2023
Closed
@c4-sponsor c4-sponsor added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Apr 4, 2023
@c4-sponsor
Copy link

rivalq marked the issue as disagree with severity

@JustDravee
Copy link

rivalq marked the issue as disagree with severity

Not such an easy one to grade. Historically, missing whenNotPaused modifiers are considered as a medium risk issue:

The only time they are considered as Low severity findings are when they're actually put on too many functions and should be removed:

Therefore I believe that Medium Severity is the right risk level, at least for this type of issue on code4rena and for the time being

@mubaris
Copy link

mubaris commented Apr 22, 2023

Medium severity seems fair

@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Apr 22, 2023
@c4-sponsor
Copy link

mubaris marked the issue as sponsor confirmed

@c4-judge
Copy link
Contributor

c4-judge commented May 3, 2023

JustDravee marked the issue as selected for report

@c4-judge c4-judge added the selected for report This submission will be included/highlighted in the audit report label May 3, 2023
@C4-Staff C4-Staff added the M-03 label May 16, 2023
@0xJuancito 0xJuancito mentioned this issue Aug 29, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) M-03 primary issue Highest quality submission among a set of duplicates selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mubaris @JustDravee @code423n4 @c4-judge @c4-sponsor @C4-Staff