Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Submission Details
Severity: low
Valid

Missing caller information in events

Summary

There are some critical functionalities emitting events without caller information especially onlyOwner functions

Vulnerability Details

  1. ProxyFactory.sol line 116 event is emitted when contest are set by owner. However the event does not emit the owner information

  2. ProxyFactory.sol all line 252 event Distributed that is called in _distribute(..) which is further called in many organizer or onlyOnwer functions e.g distributeByOwner() does not emit the caller of the function which should be owner as expected.

Impact

This short changes various offchain tooling, monitoring, reporting, front end services that may rely on events to adequately capture real time activities of the contracts. It may even be critical for security monitoring so project can respond adequately if events show unexpected owner value for these calls leading to likelihood ownership has been compromised from trusted party

Tools Used

Manual Analysis

Recommendations

Recommended to ensure events emit the caller e.g add address owner to events in ProxyFactory.sol

event SetContest(
address owner, address indexed organizer, bytes32 indexed contestId, uint256 closeTime, address indexed implementation
);
event Distributed(address owner, address indexed proxy, bytes data);

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.