stake.link

Description

The recoverTokens function allows the contract owner to recover tokens that were accidentally sent to the contract. However, the function does not emit an event when the recovery action is performed. This lack of event emission reduces transparency and makes it difficult to track and verify recovery actions through external tools like block explorers or subgraphs.

Impact:

The absence of an event reduces the transparency of token recovery actions, which could lead to trust issues with the contract's users.

Proof of Concept:

Deploy the contract and simulate a scenario where tokens are recovered using the recoverTokens function. Observe the transaction receipt or logs to confirm that no event is emitted.

// Simulate a call to recoverTokens
function testRecoverTokensEventEmission() external {
// Assume the contract is already deployed and the owner has tokens to recover
WrappedTokenBridge bridge = WrappedTokenBridge(deployedAddress);

// Prepare a list of tokens to recover
address[] memory tokensToRecover = new address[](1);
tokensToRecover[0] = address(tokenAddress);

// Call recoverTokens as the owner
bridge.recoverTokens(tokensToRecover, receiverAddress);

// Check the transaction logs for the expected event
// Since the event is not implemented, it will not be found

}

Recommendation:

Implement an event that is emitted upon successful execution of the recoverTokens function. The event should include details such as the list of token addresses recovered and the amounts.

event TokensRecovered(address[] tokens, address receiver, uint256[] amounts);

// Modify the recoverTokens function to emit the event
function recoverTokens(address[] calldata _tokens, address _receiver) external onlyOwner {
// Existing validation and recovery logic...

// Emit the event after tokens are successfully transferred
emit TokensRecovered(_tokens, _receiver, amountsRecovered);

}