First Flight #3: Thunder Loan
First Flight #3
Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Missing event when the flash loan fee is updated

ciara

When ThunderLoan::updateFlashLoanFee is called, the flash loan fee, s_flashLoanFee, is updated but no event is emitted.

Vulnerability details

The fee being updated is an important state change. When the owner calls ThunderLoan::updateFlashLoanFee, on line 253-258 the flash loan fee, s_flashLoanFee, is updated but no event is emitted.

function updateFlashLoanFee(uint256 newFee) external onlyOwner {
if (newFee > s_feePrecision) {
revert ThunderLoan__BadNewFee();
}
s_flashLoanFee = newFee;
}

Impact

When the state is initialized or modified, an event needs to be emitted. This is because the history of the contract state changes can be reconstructed using the events emitted. When protocols perform migrations and upgrades, they use events to reconstruct the history of important state variables. If events are missing, this process might not work as intended. This is a low-impact finding with a high likelihood since the contract is upgradeable, so is therefore being graded as a low severity vulnerability.

Recommended mitigation

Add an event to be emitted when s_flashLoanFee is updated:

+ event FlashLoanUpdated(uint256 indexed oldFee, uint256 oldFee);
function updateFlashLoanFee(uint256 newFee) external onlyOwner {
if (newFee > s_feePrecision) {
revert ThunderLoan__BadNewFee();
}
+ emit event FlashLoanUpdated(s_flashLoanFee, newFee);
s_flashLoanFee = newFee;
}
Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

missing event emission updateFlashLoanFee

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.