Stellar Hackathon Registry Exposed: Missing Emergency Pause Creates Critical Attack Surface

A critical security gap has been identified in the hackathon_registry smart contract within the Stellar ecosystem. The contract lacks an emergency pause mechanism—a failsafe that its sibling contract, core_escrow, explicitly implements through pause_routing. Without this capability, administrators have no way to halt operations if a vulnerability is discovered during an active hackathon event.

The vulnerability affects three critical functions: claim_prize, reclaim_unclaimed_prizes, and release_partial. These calls, originating from hackathon_registry, cannot be frozen mid-competition. A smart contract vulnerability discovered during peak prize distribution could be exploited with no administrative recourse to stop it. Security researchers flagged the inconsistency between the two contracts as a fundamental design gap that creates asymmetric risk exposure.

The proposed remediation involves adding a Paused flag to hackathon_registry's storage, accompanied by pause() and unpause() functions gated by admin authorization, and an ensure_not_paused() check gating all state-mutating operations including create_hackathon and register_team. The fix mirrors the pattern established in core_escrow, ensuring architectural consistency across the system. While no active exploitation has been reported, the absence of this failsafe represents a high-priority concern for any organization deploying this contract for competitive events where financial prizes are at stake.

The issue carries Critical severity. Hackathon organizers using this contract should evaluate the proposed patch before launching any live competitions.