[C-01] Pausing mechanism will leave users' funds stuck #43
Description
Impact: High because users will lose all of their funds
Likelihood: High because there is no way to retrieve their funds when the contract is paused
Description
All of the contracts inherit the Pausable library which allows to pause the project. This is a helpful feature in different cases (e.g. emergency) as it allows the admin to pause specific functionalities. However, the way it is implemented is problematic and will lead to users losing funds.
For example, the SingleSidedInsurancePool can be paused and the following functions have the whenNotPaused modifier:
leaveFromPoolInPendingleaveFromPendinglpTransferharvest
However, the enterInPool doesn't have it:
function enterInPool(uint256 _amount) external override isStartTime isAlive nonReentrant {This means that, if the protocol is paused, users will be able to deposit funds into the protocol, but there is absolutely no way to get back their funds. This is also true for the SSRPand the PremiumPool. This will result in users losing 100% of their funds.
This opens up another attack vector, where the protocol owner can decide if the users are able to withdraw/claim any funds from it. There is also the possibility that an admin pauses the contracts and renounces ownership, which will leave the funds stuck in the contract forever.
Recommendations
Add the whenNotPaused modifier to deposit functionalities and consider removing it from withdraw functions as users should be able to withdraw their funds anytime.