MorpheusAI

Summary

StETHMock::setTotalPooledEther function does not emit an event, so it is difficult to track changes in the value totalPooledEther off-chain.

Vulnerability Details

Impact

In Ethereum, events are used to facilitate communication between smart contracts and their user interfaces or other off-chain services. When an event is emitted, it gets logged in the transaction receipt, and these logs can be monitored and reacted to by off-chain services or user interfaces.

Without a totalPooledEtherUpdated event, any off-chain service or user interface that needs to know the current totalPooledEther would have to actively query the contract state to get the current value. This is less efficient than simply listening for the totalPooledEtherUpdated event, and it can lead to delays in detecting changes to the totalPooledEther.

The impact of this could be significant because the totalPooledEther is a state variable in the StETHMock.sol contract. It represents the total amount of Ether that has been pooled in the contract. In the context of the contract, "pooling" refers to the process of locking up or staking Ether in the contract. When users stake their Ether, the totalPooledEther increases.
This variable is used in various calculations throughout the contract. For example, in the getSharesByPooledEth function, it's used to calculate the number of shares a user gets for a certain amount of Ether. Similarly, in the getPooledEthByShares function, it's used to calculate how much Ether a certain number of shares corresponds to.

It's important to note that the totalPooledEther can be updated by the owner of the contract using the setTotalPooledEther function. So if the totalPooledEther changes and an off-chain service or user is not aware of the change because they didn't query the contract state at the right time, they could end up in wrong information.

Tools Used

Slither

Recommendations

Emit an event for critical parameter changes.