Security Upgrades to harden Protocol Security

[pankajjagtapp]

Note

High Risk
High risk because it changes pause semantics and access control across core protocol contracts, and modifies withdrawal/claim paths and reentrancy protections that directly impact fund movement.

Overview
Introduces a new time-bounded pause mechanism via PausableUntil (namespaced storage, max 1 day + per-pauser cooldown) and adds PAUSE_UNTIL_ROLE/UNPAUSE_UNTIL_ROLE to RoleRegistry, wiring pauseContractUntil() / unpauseContractUntil() into multiple contracts and ensuring whenNotPaused checks also block during a timed pause.

Hardens fund-movement surfaces with a new ReentrancyGuardNamespaced (upgrade-safe storage slot) and applies nonReentrant to LiquidityPool deposit/withdraw/request flows and WithdrawRequestNFT claim paths; WithdrawRequestNFT.invalidateRequest is also restricted to non-finalized requests.

Adjusts operational access control: Liquifier migrates from internal admin/pauser mappings to RoleRegistry roles (adds LIQUIFIER_ADMIN_ROLE/LIQUIFIER_SENDER_ROLE and constructor arg), and EtherFiAdmin.executeTasks becomes permissionless once oracle consensus/freshness checks pass. Withdrawal claims are made more resilient during pauses by allowing permissionless claim paths (WithdrawRequestNFT/PriorityWithdrawalQueue) to proceed even when the LiquidityPool is paused, and PriorityWithdrawalQueue claim functions no longer require whenNotPaused.

^{Reviewed by Cursor Bugbot for commit 6db9c1a. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Removed access control enables MEV sandwich attacks on rebases

High Severity

Removing the ETHERFI_ORACLE_EXECUTOR_TASK_MANAGER_ROLE check from executeTasks makes it callable by any address. While report data is still consensus-validated, the caller now controls the exact timing of rebases and protocol fee payments. Since _handleAccruedRewards triggers membershipManager.rebase() which changes the eETH exchange rate via liquidityPool.rebase(), a MEV searcher can sandwich the call: buy eETH, call executeTasks to trigger a positive rebase, then sell eETH at the now-higher rate. Previously the role-gated executor made timing manipulation impractical. This contradicts the PR's stated goal of hardening protocol security.

Additional Locations (1)

• src/EtherFiAdmin.sol#L186-L190

 

^{Reviewed by Cursor Bugbot for commit 1b934ff. Configure here.}

[github-actions]

📊 Forge Coverage Report

Coverage report could not be generated. Check workflow logs for details.

_{Generated by workflow run #697}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 6db9c1a. Configure here.}

[cursor]

Timed pause blocks full pause escalation in OZ-based contracts

Medium Severity

Overriding _requireNotPaused() to call _requireNotPausedUntil() causes OZ's internal _pause() (which uses whenNotPaused) to revert while a timed pause is active. This prevents escalating from a pauseContractUntil to a permanent pauseContract — the PROTOCOL_PAUSER must first call unpauseContractUntil, creating a brief unpaused window. This is inconsistent with LiquidityPool, WithdrawRequestNFT, PriorityWithdrawalQueue, etc., which add the check in the whenNotPaused modifier instead and CAN escalate freely.

Additional Locations (2)

• src/EtherFiRateLimiter.sol#L46-L50
• src/EtherFiRedemptionManager.sol#L430-L434

 

^{Reviewed by Cursor Bugbot for commit 6db9c1a. Configure here.}