F-2025-0005·documentation-mismatch

Misleading Documentation on Pausable Feature

Acknowledgedescrowpaymentserc-20
TL;DR

Documentation claims the Pausable owner can pause all state-changing actions, but the whenNotPaused modifier is applied only to the creation paths, not to cancelPayment() or settlePayment().

Severity
INFO
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

The documentation claims that:

code
Pausable Owner can pause/unpause all state-changing actions.

However, in the actual implementation, the whenNotPaused modifier is applied only to the createERC20Payment() and createERC20PaymentWithTimelock() functions.

Other state-changing functions such as cancelPayment() and settlePayment() are not protected by this modifier, creating a discrepancy between the documented and actual behavior of the contract.

Users and integrators may assume that all state-changing functions are disabled when the contract is paused, potentially leading to unexpected behaviors or incorrect assumptions about the system's security posture during emergency pauses.

03Section · Recommendation

Recommendation

Either update the documentation to accurately reflect which functions are protected by the Pausable mechanism, or apply the whenNotPaused modifier consistently to all state-changing functions such as cancelPayment() and settlePayment().

ZEALYNX SECURITY · published 2025-05-08
F-2025-0005

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx