Report ID
#12785
Target
https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5
Report type
Smart Contract
Impacts
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Has PoC?
Yes
Bug Description
A clear and concise description of the bug.
Pause/unpause functionality is realized only in SeasonFacet, but in can be realized in other facets, such as FieldFacet, CurveFacet, FundraiserFacet, SiloFacet
In case a hack is occuring or an exploit is discovered, the team should be able to pause contract until the necessary changes are made to the system.
Because an attack would probably span a number of blocks, a method for pausing the contract would be able to interrupt any such attack if discovered.
To use a thorchain example again, the team behind thorchain noticed an attack was going to occur well before the system transferred funds to the hacker. However, they were not able to shut the system down fast enough. (According to the incidence report here https://github.com/HalbornSecurity/PublicReports/blob/master/Incident%20Reports/Thorchain_Incident_Analysis_July_23_2021.pdf).
Impact
Dev Team from Beanstalk would have ability to stop attack or exploit, if it happens and reduce attack or exploit cost
Risk Breakdown
Difficulty to Exploit: Easy Weakness: CVSS2 Score:
Recommendation
add more pause() and unpause() functions in other facets
Proof of concept
add more pause() and unpause() functions in other facets