Finding description and impact

When the contract is paused, rebalance is not paused. While users cannot withdraw, performance fees can still be collected from interest.

Proof of Concept

The rebalance should not be callable when paused (according to the documentation), but it can still be called even when paused. This means that while users cannot withdraw their investments from the Vault when paused, it's still possible to collect performance fees on interest through the rebalance function. Also, MultiStrategyVault has the same issue.

    function rebalance(
        IVault.RebalanceCommand[] calldata commands
@>  ) external override nonReentrant onlyRole(VAULT_MANAGER_ROLE) returns (bool success) {
        success = true;
        uint256 numCommands = commands.length;
        for (uint256 i = 0; i < numCommands; ) {
            if (commands[i].action == HARVEST_VAULT) {
                _harvestAndMintFees();
            }
            unchecked {
                i++;
            }
        }
    }

Recommended Mitigation Steps

Add the whenNotPaused modifier to the rebalance function.