Description

The strategy can be paused under certain periods that are considered to be dangerous for the system. This is usually done to protect the system from attacks or to prevent the system from making bad decisions.

However, not all functions perform checks on whether the system is paused or not. This means that users can still interact with the system, even though it is paused. This can lead to unexpected behavior and potential losses for the users.

The affected functions are essentially all the external/public functions that can be called by anyone or by the vault — for example, the deposit and harvest functions.

Impact

This issue can lead to unexpected behavior and potential losses for the users.

Recommendations

We recommend performing the necessary checks in all the external/public functions that can be called by anyone or by the vault. This will prevent users from interacting with the system when it is paused.

For example, the following modifier can be used in deposit:

function deposit() 
    external 
    onlyCalmPeriods 
+   whenNotPaused {
    _onlyVault();

    // Add All Liquidity
    _setTicks();
    _addLiquidity();
    
    (uint256 bal0, uint256 bal1) = balances();

    // TVL Balances after deposit
    emit Deposit(bal0, bal1);
}    

Similarly, the same modifier can be used for the rest of the affected functions.

Remediation

This issue has been acknowledged by Beefy, and a fix was implemented in commit 9fbd3d43↗.