Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Missing caller information in events

aballok

Summary

There are some critical functionalities emitting events without caller information especially onlyOwner functions

Vulnerability Details

ProxyFactory.sol line 116 event is emitted when contest are set by owner. However the event does not emit the owner information
ProxyFactory.sol all line 252 event Distributed that is called in _distribute(..) which is further called in many organizer or onlyOnwer functions e.g distributeByOwner() does not emit the caller of the function which should be owner as expected.

Impact

This short changes various offchain tooling, monitoring, reporting, front end services that may rely on events to adequately capture real time activities of the contracts. It may even be critical for security monitoring so project can respond adequately if events show unexpected owner value for these calls leading to likelihood ownership has been compromised from trusted party

Tools Used

Manual Analysis

Recommendations

Recommended to ensure events emit the caller e.g add address owner to events in ProxyFactory.sol

event SetContest(

address owner, address indexed organizer, bytes32 indexed contestId, uint256 closeTime, address indexed implementation

);

event Distributed(address owner, address indexed proxy, bytes data);

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.