Missing pause / unpause functions prevents emergency protocol shutdown
Contract inherits PausableUpgradeable and initialises pausable state but never exposes pause / unpause functions, so the team cannot halt staking during a discovered exploit.
Description
This issue was found during the mitigation period as part of the recommended mitigation for F-2025-0004 (the max reward allocation finding).
The contract inherits from PausableUpgradeable but does not implement the necessary functions to utilise this functionality. The contract initialises the pausable functionality with __Pausable_init() but does not expose any functions to actually pause or unpause the contract.
Impact
If a critical vulnerability is discovered or if the contract needs to be temporarily halted for any reason:
- The team cannot pause the contract to prevent further exploitation.
- Users can continue interacting with a potentially vulnerable contract.
- The emergency mitigation mechanism is completely non-functional.
This is particularly concerning as the pause functionality was meant to be a safety mechanism for emergency situations.
Recommendation
Add pause and unpause functions:
/*** @notice Pauses the contract, preventing staking and unstaking* @dev Only callable by owner*/function pause() public onlyOwner {_pause();}/*** @notice Unpauses the contract, allowing staking and unstaking* @dev Only callable by owner*/function unpause() public onlyOwner {_unpause();}
Resolution
Ample Protocol: Fixed.
Zealynx: Verified.
