# 51162 sc low missing pause control implementation in tellerwithmultiassetsupportpredicateproxy **Submitted on Jul 31st 2025 at 17:22:43 UTC by @TeamJosh for** [**Attackathon | Plume Network**](https://immunefi.com/audit-competition/plume-network-attackathon) * **Report ID:** #51162 * **Report Type:** Smart Contract * **Report severity:** Low * **Target:** * **Impacts:** * Contract fails to deliver promised returns, but doesn't lose value ## Description ### Brief/Intro The `TellerWithMultiAssetSupportPredicateProxy` contract inherits from OpenZeppelin’s `Pausable` contract, intending to provide an emergency stop mechanism for sensitive user-facing operations like `deposit` and `depositAndBridge`. However, the contract does not implement any mechanism to trigger the internal `_pause()` or `_unpause()` functions, rendering the `paused()` check in these functions ineffective. ### Vulnerability Details The following guard appears in `deposit()` and `depositAndBridge()`: ```solidity if (paused()) { revert TellerWithMultiAssetSupportPredicateProxy__Paused(); } ``` These checks are intended to prevent interaction when the system is paused. However, there is no public or internal function in the contract that calls `_pause()` or `_unpause()`, which are required to actually change the pause state. Key missing components: * No `pause()` or `unpause()` function callable by the owner. * No emergency pause mechanism in case of malicious activity or discovered vulnerabilities. As a result, the `paused()` state will always return `false`, meaning the guard is never actually enforced, and emergency control is effectively broken. ## Impact Details * Inability to pause user-facing entry points (`deposit` and `depositAndBridge`) in case of exploits or bugs. ## Proof of Concept ```solidity // Try pausing the contract (this function doesn’t exist) proxy.pause(); // Error: function does not exist // Confirm that deposit is always enabled despite claiming to be pausable bool pausedState = proxy.paused(); // always false proxy.deposit(...); // always succeeds, even in supposed paused state ``` ## References (Add any relevant links to documentation or code) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/plume-or-attackathon/51162-sc-low-missing-pause-control-implementation-in-tellerwithmultiassetsupportpredicateproxy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.