Emit event for important state update like `setRewardsInitiator(...)`
Summary
The setRewardsInitiator(...) function does not emit any event after updating the contract's state with critical address rewardsInitiator.
Vulnerability Details
The setRewardsInitiator(...) changes a critical address on the contract's state without emitting any event which would help monitoring tools listening to important event notify protocol of critical changes and allow them quickly act to mitigate any suspicious state update.
Other functions that do not emit events after state updates are:
-
setRESDLTokenBridge function: https://github.com/Cyfrin/2023-12-stake-link/blob/549b2b8c4a5b841686fceb9c311dca9ac58225df/contracts/core/ccip/base/SDLPoolCCIPController.sol#L138C5-L140C6
-
setMaxLINKFee function : https://github.com/Cyfrin/2023-12-stake-link/blob/549b2b8c4a5b841686fceb9c311dca9ac58225df/contracts/core/ccip/base/SDLPoolCCIPController.sol#L130C5-L132C6
-
handleIncomingRESDL function : https://github.com/Cyfrin/2023-12-stake-link/blob/549b2b8c4a5b841686fceb9c311dca9ac58225df/contracts/core/ccip/SDLPoolCCIPControllerPrimary.sol#L125C5-L134C6
-
handleOutgoingRESDL function: https://github.com/Cyfrin/2023-12-stake-link/blob/549b2b8c4a5b841686fceb9c311dca9ac58225df/contracts/core/ccip/SDLPoolCCIPControllerPrimary.sol#L103C5-L116C6
-
setBaseURI function: https://github.com/Cyfrin/2023-12-stake-link/blob/549b2b8c4a5b841686fceb9c311dca9ac58225df/contracts/core/sdlPool/base/SDLPool.sol#L363C5-L365C6
-
setCCIPController function : https://github.com/Cyfrin/2023-12-stake-link/blob/549b2b8c4a5b841686fceb9c311dca9ac58225df/contracts/core/sdlPool/base/SDLPool.sol#L381C5-L383C6
-
setBoostController function: https://github.com/Cyfrin/2023-12-stake-link/blob/549b2b8c4a5b841686fceb9c311dca9ac58225df/contracts/core/sdlPool/base/SDLPool.sol#L372C5-L374C6
Impact
Security monitoring tools, frontends, off-chain toolings and reporting services that rely on events to capture real time activities of contracts are shortchanged.
This can be critical because in the event of suspicious event emissions, protocols can quickly react to mitigate further potential damage.
Tools Used
Manual review
Recommendations
Emit an event for the setRewardsInitiator(...) , The event should contain both old and new rewardsInitiator addresses.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.