`updateArtSettings` in `PhiFactory.sol` can still be called even if contract is paused

Question

`updateArtSettings` in `PhiFactory.sol` can still be called even if contract is paused

c4-bot-3 opened this issue a year ago · 0 comments

Lines of code

https://github.com/code-423n4/2024-08-phi/blob/8c0985f7a10b231f916a51af5d506dd6b0c54120/src/PhiFactory.sol#L215-L227

Vulnerability details

Vulnerability Details

function updateArtSettings(
    uint256 artId_,
    string memory url_,
    ...
    ...
)
    external
    onlyArtCreator(artId_)
{
    ....
    ....
}

updateArtSettings only uses the modifier onlyArtCreator but does not use whenNotPaused. This is dangerous as the main purpose of pausing comes in when an exploit has been discovered.

Since the contract has been compromised and loopholes have been found, updateArtSettings should not be allowed to be called as the compromised contract could have lowered barriers due to a current exploit and may further fall prey to an exploit where illegal parameters are set in updateArtSettings.

Therefore, just like createArt which has whenNotPaused, updateArtSettings should have it as well.

Recommended Mitigation Steps

function updateArtSettings(
    uint256 artId_,
    string memory url_,
    ...
    ...
)
    external
    onlyArtCreator(artId_)
+   whenNotPaused
{
    ...
    ...
}

Tools Used

Manual Review, Foundry, VSCode

Assessed type

Access Control