Submission Details
Severity:
`PoolBalanceUpdated` event is emitted even when pool balance is not changed.
Vulnerability Details
function setPool(Pool calldata p) public returns (bytes32 poolId) {
...
uint256 currentBalance = pools[poolId].poolBalance;
if (p.poolBalance > currentBalance) {
// if new balance > current balance then transfer the difference from the lender
IERC20(p.loanToken).transferFrom(
p.lender,
address(this),
p.poolBalance - currentBalance
);
} else if (p.poolBalance < currentBalance) {
// if new balance < current balance then transfer the difference back to the lender
IERC20(p.loanToken).transfer(
p.lender,
currentBalance - p.poolBalance
);
}
emit PoolBalanceUpdated(poolId, p.poolBalance);
...
}
Tools Used
Manual Review
Recommendations
It should only emit when balance is changed.
function setPool(Pool calldata p) public returns (bytes32 poolId) {
...
uint256 currentBalance = pools[poolId].poolBalance;
if (p.poolBalance > currentBalance) {
// if new balance > current balance then transfer the difference from the lender
IERC20(p.loanToken).transferFrom(
p.lender,
address(this),
p.poolBalance - currentBalance
);
+ emit PoolBalanceUpdated(poolId, p.poolBalance);
} else if (p.poolBalance < currentBalance) {
// if new balance < current balance then transfer the difference back to the lender
IERC20(p.loanToken).transfer(
p.lender,
currentBalance - p.poolBalance
);
+ emit PoolBalanceUpdated(poolId, p.poolBalance);
}
- emit PoolBalanceUpdated(poolId, p.poolBalance);
...
}
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
70628
USDC / LOC
18,000 USDC
2,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.