The contract MoneyBrinter does not consider Kodiak farm's pausing status for staking and withdrawals. This can cause MoneyBrinter to be incompliant with ERC-4626
Vulnerability Details
Both function depositFor() and withdrawTo() from Beradrome farm plugin contract handle withdraw locked all from Kodiak farm and continue to stake all into the farm. Here depositFor() is called by MoneyBrinter::deposit() and MoneyBrinter::mint(). The function withdrawTo()is called byMoneyBrinter::withdraw()andMoneyBrinter::redeem(). So all the core functions of MoneyBrinter` contract go through the steps Farm::withdrawLockedAll() -> Farm::stakeLocked().
On the other side, the farm contract has pausing feature for the staking and withdrawals. So in case only one of these two is paused, then the core functions of MoneyBrinter contract does not work and all funds can be temporarily locked in farm contract
function toggleStaking() external onlyOwner {
stakingPaused = !stakingPaused;
}
function toggleWithdrawals() external onlyOwner {
withdrawalsPaused = !withdrawalsPaused;
}
Impact Details
ERC-4626 incompliant
Contract's core functions can be unable to operate
Run the test by command forge t --mt test_Valid_Deposit_Into_Beradrome -vv and the console shows
Ran 1 test for test/vault/Vault_IntegrationTest_ZeroFee.t.sol:Vault_IntegrationTest_ZeroFee
[PASS] test_Valid_Deposit_Into_Beradrome() (gas: 810185)
Logs:
max deposit: 115792089237316195423570985008687907853269984665640564039457584007913129639935
It means that the maxDeposit() returns wrong value, and it is also impossible to deposit into the vault even when Kodiak farm only pauses withdrawals
