Beanstalk: The Finale

Summary

The SiloFacet :deposit function does not emit an AddDeposit event, contrary to the expected behavior as described in the function's NatSpec documentation. This omission can lead to difficulties in tracking deposits and debugging transactions on-chain.

Vulnerability Details

The deposit function is designed to handle the deposit of ERC20 tokens into the Silo. The expected behavior includes:

• Transferring the specified amount of tokens from the user's account to the contract.

• Calculating the Bean Denominated Value (BDV) for the deposited tokens.

• Creating or updating a deposit entry for the user in the current season.

• Minting Stalk (another token) to the user's account.

• Emitting an AddDeposit event.

While the first four steps are implemented, the fifth step—emitting the AddDeposit event—is missing. The absence of this event makes it challenging for external systems, such as user interfaces or monitoring tools, to detect and respond to deposit actions effectively.

Impact

Without the event, users and developers cannot easily track deposits via off-chain tools that rely on event logs. This could lead to confusion and difficulties in auditing transactions. Events are a crucial aspect of maintaining transparency in smart contracts. They provide a clear and immutable record of actions taken on-chain. The absence of this event reduces the transparency of the contract's operations. Many DeFi protocols and applications rely on events to trigger actions or update states. The missing event could cause integration issues with other smart contracts or external applications that interact with the SiloFacet contract.

Tools Used

Manual Review

Recommendations

To address this issue, the deposit function should be modified to include the emission of the AddDeposit event. This will ensure consistency with the documented behavior and improve the transparency and usability of the contract.