DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Events missing old value and new value emissions

aballok

Summary

There are events that are being emitted without any information of the new values and the old values from the changes; for critical parameter, functionality changes

Vulnerability Details

OwnerFacet.sol has a lot of setter functions that emit events that do not give information on the values especially emitting the new value and the old value. Consider below events used in most of the functions that just indicate something changed on the asset or bridge but without any information on the value changes.

emit Events.ChangeBridgeSetting(bridge);

emit Events.ChangeMarketSetting(asset);

The above does not give detailed information that can also help the security of the protocol

Impact

Not only does it have bad effects on user experience, offchain front ends, reporting and monitoring tools but security issues. If there is no ability to see in real time any unexpected value changes, inconsistencies this impacts the ability to react,fix etc these issues putting the protocol functionality at risk

Tools Used

Manual Analysis

Recommendations

Recommended these events also include information on the values that have been updated e.g in fashion like below

// OwnerFacet.sol line 130 function

function setAssetOracle(address asset, address oracle) external onlyDAO {

_setAssetOracle(asset, oracle);

emit Events.UpdateAssetOracle(asset, oracle);

}

\ Change code aspects in above function to ensure new and old values emitted

// Improved OwnerFacet.sol line 130 function

function setAssetOracle(address asset, address oracle) external onlyDAO {

address oldOracle = s.asset[asset].oracle = oracle; // get emit old asset oracle

_setAssetOracle(asset, oracle);

emit Events.UpdateAssetOracle(asset, oracle, oldOracle ); // emit old asset oracle

}

Updates

Lead Judging Commences

0xnevi Lead Judge

about 2 years ago

0xnevi Lead Judge about 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

aballok Submitter

about 2 years ago

0xnevi Lead Judge

about 2 years ago

0xnevi Lead Judge about 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.