52241 sc low unexposed pauseable functionality
Submitted on Aug 8th 2025 at 22:47:05 UTC by @funkornaut for Attackathon | Plume Network
Report ID: #52241
Report Type: Smart Contract
Report severity: Low
Target: https://github.com/immunefi-team/attackathon-plume-network-nucleus-boring-vault/blob/main/src/base/Roles/TellerWithMultiAssetSupportPredicateProxy.sol
Impacts: Contract fails to deliver promised returns, but doesn't lose value
Vulnerability Details
The contract inherits Pausable and uses paused() guards in deposit() and depositAndBridge(). However, there are no externally callable pause() / unpause() functions (only the internal _pause() / _unpause() exist in Pausable).
Result: paused() is effectively always false, so the if (paused()) revert checks are unnecessary and currently wasteful. This diverges from the regular TellerWithMultiAssetSupport contract, which does expose pause() / unpause() and behaves correctly.
Impact
The contract can never be paused in emergencies.
References
https://github.com/immunefi-team/attackathon-plume-network-nucleus-boring-vault/blob/main/src/base/Roles/TellerWithMultiAssetSupportPredicateProxy.sol?utm_source=immunefi#L78
https://github.com/immunefi-team/attackathon-plume-network-nucleus-boring-vault/blob/main/src/base/Roles/TellerWithMultiAssetSupportPredicateProxy.sol?utm_source=immunefi#L78
Link to Proof of Concept
https://gist.github.com/Funkornaut/5e0d2397fea37670615c9b559d9853dd
Proof of Concept
Was this helpful?