DittoETH

Summary

There are events that are being emitted without the caller information e.g msg.sender. It appears rest of the code is following best practise of emitting events with msg.sender except these few provided here.

Vulnerability Details

A few events emitted are missing the caller information. Take for example
emit Events.CreateMarket(asset, Asset)...in OwnerFacet.sol line 94 that is about a critical functionality which of market creation by DAO. Offline monitoring tools can respond if suddenly markets are being created by address other than DAO; if only msg.sender was part of the events.

Most of the events missing caller information are in OwnerFacet.sol(some examples in links provided) which involves a lot of critical access controlled parameter, functionality, protocol updates so it's important for security reasons these events emit callers.

Impact

Not only does it have bad effects on user experience, offchain front ends, reporting and monitoring tools but security issues. If there is no ability to see in real time any unexpected calls from callers not expected; the platform can't react to these potential security issues.

Tools Used

Manual Analysis

Recommendations

Recommended all events emit caller information by including msg.sender e.g