stake.link

stake.link
DeFiHardhatBridge
27,500 USDC
View results
Submission Details
Severity: low
Invalid

Emit event for important state update like `setRewardsInitiator(...)`

Summary

The setRewardsInitiator(...) function does not emit any event after updating the contract's state with critical address rewardsInitiator.

Vulnerability Details

The setRewardsInitiator(...) changes a critical address on the contract's state without emitting any event which would help monitoring tools listening to important event notify protocol of critical changes and allow them quickly act to mitigate any suspicious state update.

function setRewardsInitiator(address _rewardsInitiator) external onlyOwner {
rewardsInitiator = _rewardsInitiator;//@audit emit event with old and new rewardsInitiator
}

Other functions that do not emit events after state updates are:

Impact

Security monitoring tools, frontends, off-chain toolings and reporting services that rely on events to capture real time activities of contracts are shortchanged.
This can be critical because in the event of suspicious event emissions, protocols can quickly react to mitigate further potential damage.

Tools Used

Manual review

Recommendations

Emit an event for the setRewardsInitiator(...) , The event should contain both old and new rewardsInitiator addresses.

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.