Active Boosts

52896 sc low pause gate is present but no way to pause

Submitted on Aug 14th 2025 at 06:36:51 UTC by @hulkvision for Attackathon | Plume Network

  • Report ID: #52896

  • Report Type: Smart Contract

  • Report severity: Low

  • Target: https://github.com/immunefi-team/attackathon-plume-network-nucleus-boring-vault/blob/main/src/base/Roles/TellerWithMultiAssetSupportPredicateProxy.sol

  • Impacts:

    • Smart contract unable to operate due to lack of token funds

    • “Pause” gate is present but no way to pause (operational risk / incident response)

Description

Brief/Intro

The contract owner is unable to activate the emergency pause mechanism, rendering the contract unstoppable during an active exploit or operational failure.

Vulnerability Details

The TellerWithMultiAssetSupportPredicateProxy contract inherits from OpenZeppelin's Pausable utility and implements the necessary checks to block functions when paused. However, it critically omits the external pause() and unpause() functions required for the owner to actually trigger the paused state. This oversight renders the entire emergency stop feature non-functional, meaning if a separate vulnerability were discovered and exploited, the owner would be powerless to halt the contract and prevent further financial losses.

// File: TellerWithMultiAssetSupportPredicateProxy.sol

// L78-L80
function deposit(...) ... {
    if (paused()) { // <--- Check is present
        revert TellerWithMultiAssetSupportPredicateProxy__Paused();
    }
    ...
}

// L133-L135
function depositAndBridge(...) ... {
    if (paused()) { // <--- Check is present
        revert TellerWithMultiAssetSupportPredicateProxy__Paused();
    }
    ...
}

This demonstrates a clear intent to allow the owner to pause the contract. However, the contract source code is missing the corresponding control functions that would call the internal _pause() and _unpause() functions from the Pausable contract.

Without these functions, there is no way for the owner or any other party to transition the contract into a "paused" state. The security mechanism is incomplete and therefore inoperable.

Impact: If any of the vulnerabilities in this contract were actively exploited, the owner would have no way to stop the attacker from draining funds or causing further damage through this proxy.

References

  • https://github.com/immunefi-team/attackathon-plume-network-nucleus-boring-vault/blob/0ee676b5715075c26db6706960fd49ab59b587fc/src/base/Roles/TellerWithMultiAssetSupportPredicateProxy.sol#L78-L80

  • https://github.com/immunefi-team/attackathon-plume-network-nucleus-boring-vault/blob/0ee676b5715075c26db6706960fd49ab59b587fc/src/base/Roles/TellerWithMultiAssetSupportPredicateProxy.sol#L133-L135

Proof of Concept

1

Reproduction step 1

The owner identifies a critical vulnerability being exploited through the deposit / depositAndBridge functions.

2

Reproduction step 2

The owner attempts to pause the contract but finds there is no external pause()/unpause() function available, so the contract cannot be paused.

Previous52998 sc low minor delays from oracle can unfairly reset users streakNext52891 sc low staking and unstaking immediately an amount little less than the original staked amount leaves dust stake amounts in the system

Was this helpful?