Plain Inky Porpoise
Medium
From the depositWithPermit function, it can be inferred that deposits are meant to be disabled when the contract is paused, but users can still deposit by accessing the deposit and mint functions.
depositWithPermit holds the whenNotPaused modifier which prevents deposit with permit when the vault is paused. When the contract is paused, users should not be able to deposit.
function depositWithPermit(
uint256 assets,
address receiver,
uint256 deadline,
uint8 v,
bytes32 r,
bytes32 s
) external whenNotPaused nonReentrant returns (uint256 shares) {
try IERC20Permit(asset()).permit(msg.sender, address(this), assets, deadline, v, r, s) {} // solhint-disable-line no-empty-blocks
catch {} // solhint-disable-line no-empty-blocks
return deposit(assets, receiver);
}But this can be bypassed by users directly depositing using the deposit/mint function. This is because the functions are not overriden from their base ERC4626Upgradeable contract and as a result are still usable even when contract is paused. Coupled with the fact that the shares can still be transferred when paused, users can easily mint or deposit when the contract is paused, bypassing the depositWithPermit functionality.
function _update(address from, address to, uint256 amount)
internal
override(ERC20Upgradeable)
{
UsualXStorageV0 storage $ = _usualXStorageV0();
if ($.isBlacklisted[from] || $.isBlacklisted[to]) {
revert Blacklisted();
}
super._update(from, to, amount);
}No response
No response
No response
Bypassing paused vault status to deposit and mint shares.
No response
Override the deposit and mint functions and add the whenNotPaused modifier.