Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-03-POLYNOMIAL-FINDINGS-ISSUES-232
HistoryMar 20, 2023 - 12:00 a.m.

KangarooVault.initiateDeposit, KangarooVault.processDepositQueue, KangarooVault.initiateWithdrawal, and KangarooVault.processWithdrawalQueue functions do not use whenNotPaused modifier

2023-03-2000:00:00
Code4rena
github.com
7
kangaroovault
pausemodifier
liquiditypool
emergency
hack
security
JSON

Lines of code
<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L183&gt;
<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L243&gt;
<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L215&gt;
<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L269&gt;
<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L184&gt;
<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L200-L205&gt;
<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L219&gt;
<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L247&gt;
<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L264-L269&gt;
<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L284&gt;

Vulnerability details

Impact

As shown by the code below, although PauseModifier is imported, the KangarooVault contract does not use the whenNotPaused modifier in any of its functions. More specifically, the KangarooVault.initiateDeposit, KangarooVault.processDepositQueue, KangarooVault.initiateWithdrawal, and KangarooVault.processWithdrawalQueue functions do not use the whenNotPaused modifier.

<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L19-L21&gt;

import {PauseModifier} from "./utils/PauseModifier.sol";

contract KangarooVault is Auth, ReentrancyGuard, PauseModifier {

<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L183&gt;

    function initiateDeposit(address user, uint256 amount) external nonReentrant {

<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L243&gt;

    function processDepositQueue(uint256 idCount) external nonReentrant {

<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L215&gt;

    function initiateWithdrawal(address user, uint256 tokens) external nonReentrant {

<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L269&gt;

    function processWithdrawalQueue(uint256 idCount) external nonReentrant {

This is unlike the LiquidityPool contract; comparing to the KangarooVault.initiateDeposit, KangarooVault.processDepositQueue, KangarooVault.initiateWithdrawal, and KangarooVault.processWithdrawalQueue functions, the LiquidityPool.deposit, LiquidityPool.queueDeposit, LiquidityPool.processDeposits, LiquidityPool.withdraw, LiquidityPool.queueWithdraw, and LiquidityPool.processWithdraws functions have the similar functionalities but they all use the whenNotPaused modifier. As a result, when an emergency, such as a hack, occurs, the protocol can pause the LiquidityPool.withdraw, LiquidityPool.queueWithdraw, and LiquidityPool.processWithdraws functions to prevent or reduce damages, such as preventing users and the protocol from losing funds, but cannot do that for the KangarooVault.initiateDeposit, KangarooVault.processDepositQueue, KangarooVault.initiateWithdrawal, and KangarooVault.processWithdrawalQueue functions.

<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L184&gt;

    function deposit(uint256 amount, address user) external override nonReentrant whenNotPaused("POOL_DEPOSIT") {

<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L200-L205&gt;

    function queueDeposit(uint256 amount, address user)
        external
        override
        nonReentrant
        whenNotPaused("POOL_QUEUE_DEPOSIT")
    {

<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L219&gt;

    function processDeposits(uint256 count) external override nonReentrant whenNotPaused("POOL_PROCESS_DEPOSITS") {

<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L247&gt;

    function withdraw(uint256 tokens, address user) external override nonReentrant whenNotPaused("POOL_WITHDRAW") {

<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L264-L269&gt;

    function queueWithdraw(uint256 tokens, address user)
        external
        override
        nonReentrant
        whenNotPaused("POOL_QUEUE_WITHDRAW")
    {

<https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L284&gt;

    function processWithdraws(uint256 count) external override nonReentrant whenNotPaused("POOL_PROCESS_WITHDRAWS") {

Proof of Concept

The following steps can occur for the described scenario.

  1. An emergency, such as a hack, occurs in which further withdrawals can cause users and the protocol to lose funds.
  2. The protocol team is able to pause the LiquidityPool.withdraw, LiquidityPool.queueWithdraw, and LiquidityPool.processWithdraws functions.
  3. However, the protocol team is unable to pause the KangarooVault.initiateWithdrawal and KangarooVault.processWithdrawalQueue functions.
  4. As a result, funds can be lost from the KangarooVault.

Tools Used

VSCode

Recommended Mitigation Steps

The KangarooVault.initiateDeposit, KangarooVault.processDepositQueue, KangarooVault.initiateWithdrawal, and KangarooVault.processWithdrawalQueue functions can be updated to use the whenNotPaused modifier.

The text was updated successfully, but these errors were encountered:

All reactions

JSON