missing whenNotPaused #71
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/LensHub.sol#L929
Vulnerability details
All the external function of LensHub have whenNotPasued modifier.
However, LensHub is erc721 and the transfer function doesn't have the whenNotPaused modifier.
Impact
In case where the governance wants to stop all activity, they still can't stop transferring profiles nfts.
an example where stopping transferring tokens was actually very helpful:
https://mobile.twitter.com/flashfish0x/status/1466369783016869892
Recommended Mitigation Steps
add whenNotPasued to
_beforeTokenTransfer
The text was updated successfully, but these errors were encountered: