The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Missing events for access control and arithmetic parameters

kiteweb3

Summary

There are some missing event for access control and arithmetic parameters inside the smart contracts. The full list of functions with the missing events are listed in the subsequent "Vulnerability Details".

Vulnerability Details

Missing events for arithmetic parameters:

LiquidationPoolManager.setPoolFeePercentage(uint32) (contracts/LiquidationPoolManager.sol#84-86) should emit an event for:
```
  - poolFeePercentage = _poolFeePercentage (contracts/LiquidationPoolManager.sol#85)
```
SmartVaultManagerV5.setMintFeeRate(uint256) (contracts/SmartVaultManagerV5.sol#103-105) should emit an event for:
```
  - mintFeeRate = _rate (contracts/SmartVaultManagerV5.sol#104) 
```
SmartVaultManagerV5.setBurnFeeRate(uint256) (contracts/SmartVaultManagerV5.sol#107-109) should emit an event for:
```
  - burnFeeRate = _rate (contracts/SmartVaultManagerV5.sol#108) 
```
SmartVaultManager.setSwapFeeRate(uint256 _rate) (contracts/utils/SmartVaultManager.sol#111-113) should emit an event for:
```
  - mintFeeRate = _rate (contracts/utils/SmartVaultManager.sol#112) 
```

Missing events for access control parameters:

SmartVaultManagerV5.setLiquidatorAddress(address) (contracts/SmartVaultManagerV5.sol#135-137) should emit an event for:
```
  - liquidator = _liquidator (contracts/SmartVaultManagerV5.sol#136) 
```
SmartVaultV3.setOwner(address) (contracts/SmartVaultV3.sol#233-235) should emit an event for:
```
  - owner = _newOwner (contracts/SmartVaultV3.sol#234) 
```

Impact

In Ethereum, events are used to facilitate communication between smart contracts and their user interfaces or other off-chain services. When an event is emitted, it gets logged in the transaction receipt, and these logs can be monitored and reacted to by off-chain services or user interfaces.

Without an event for each parameters listed above, any off-chain service or user interface that needs to know the current state would have to actively query the contract state to get the current value. This is less efficient than simply listening directly for events, and it can lead to delays in detecting changes to parameters.

The impact of this could be significant because these parameters are used to calculate the usage cost for users (feeRate). If, for example, the fees change and an off-chain service or user is not aware of the change because they didn't query the contract state at the right time, they could end up paying a different fee than they expected.

Tools Used

Slither

Recommendations

Emit an event for critical parameters changes.

+ event PoolFeePercentageUdated(uint32 indexed newPoolFeePercentage);

function setPoolFeePercentage(uint32 _poolFeePercentage) external onlyOwner {

poolFeePercentage = _poolFeePercentage;

}

+ emit PoolFeePercentageUdated(poolFeePercentage);

}

+ event MintFeeRateUpdated(uint256 indexed newMintFeeRate);

function setMintFeeRate(uint256 _rate) external onlyOwner {

mintFeeRate = _rate;

+ emit MintFeeRateUpdated(mintFeeRate);

}

+ event BurnFeeRateUpdated(uint256 indexed newBurnFeeRate);

function setBurnFeeRate(uint256 _rate) external onlyOwner {

burnFeeRate = _rate;

}

+ emit BurnFeeRateUpdated(burnFeeRate);

+ event SwapFeeRateUpdated(uint256 indexed newSwapFeeRate);

function setSwapFeeRate(uint256 _rate) external onlyOwner {

swapFeeRate = _rate;

}

+ emit SwapFeeRateUpdated(swapFeeRate);

+ event LiquidatorAddressUpdated(address indexed newLiquidator);

function setLiquidatorAddress(address _liquidator) external onlyOwner() {

liquidator = _liquidator;

}

+ emit LiquidatorAddressUpdated(liquidator);

+ event OwnerUpdated(address indexed owner);

function setOwner(address _newOwner) external onlyVaultManager {

owner = _newOwner;

}

+ emit setOwner(owner);

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

events

informational/invalid

kiteweb3 Submitter

over 1 year ago

hrishibhat Lead Judge

over 1 year ago

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

events

informational/invalid

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.