First Flight #18: T-Swap
First Flight #18
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Incorrect Values Emitted in LiquidityAdded Event

josh4324

Summary

The LiquidityAdded event in the TSWAP contract emits incorrect values for the parameters poolTokensToDeposit and wethToDeposit. This discrepancy can lead to confusion and misinterpretation of the actual amounts involved in the liquidity addition process.

Vulnerability Details

Events in smart contracts are essential for logging critical information that can be accessed by external users and services. Inaccurate emission of event values can lead to a range of issues including, but not limited to, incorrect data reporting, difficulty in auditing transactions, and misinformed decision-making by users.

The issue specifically lies in the LiquidityAdded event, where the values emitted for poolTokensToDeposit and wethToDeposit do not accurately reflect the actual amounts being deposited.

function _addLiquidityMintAndTransfer(
uint256 wethToDeposit,
uint256 poolTokensToDeposit,
uint256 liquidityTokensToMint
)
private
{
_mint(msg.sender, liquidityTokensToMint);
//@audit wrong amounts emitted
// event LiquidityAdded(address indexed liquidityProvider, uint256 wethDeposited, uint256 poolTokensDeposited);
@> emit LiquidityAdded(msg.sender, poolTokensToDeposit, wethToDeposit);
// Interactions
i_wethToken.safeTransferFrom(msg.sender, address(this), wethToDeposit);
i_poolToken.safeTransferFrom(msg.sender, address(this), poolTokensToDeposit);
}

Proof of Concept (PoC):

  1. Deploy a contract with the LiquidityAdded event.

  2. Call the deposit function with specified amounts of pool tokens and WETH.

  3. Observe the emitted event and note the discrepancy between the actual values and the emitted values.

Impact

  1. User Confusion: Users may be misled about the actual amounts of liquidity added, leading to confusion and potential mistrust in the platform.

  2. Inaccurate Analytics: Third-party services that rely on event data for analytics and reporting will produce incorrect outputs, impacting decision-making processes.

  3. Auditing Difficulties: Inaccurate event data complicates the auditing and verification of transactions, potentially masking other underlying issues.

Tools Used

Manual Review

Recommendations

  1. Review and Correct Emission Logic: Thoroughly review the logic that prepares values for the LiquidityAdded event and ensure they accurately reflect the actual amounts involved.

  2. Unit Testing: Implement comprehensive unit tests to validate that the emitted values match the expected values based on the inputs provided to the addLiquidity function.

function _addLiquidityMintAndTransfer(
uint256 wethToDeposit,
uint256 poolTokensToDeposit,
uint256 liquidityTokensToMint
)
private
{
_mint(msg.sender, liquidityTokensToMint);
//@audit wrong amounts emitted
// event LiquidityAdded(address indexed liquidityProvider, uint256 wethDeposited, uint256 poolTokensDeposited);
- emit LiquidityAdded(msg.sender, poolTokensToDeposit, wethToDeposit);
+ emit LiquidityAdded(msg.sender, wethToDeposit, poolTokensToDeposit);
// Interactions
i_wethToken.safeTransferFrom(msg.sender, address(this), wethToDeposit);
i_poolToken.safeTransferFrom(msg.sender, address(this), poolTokensToDeposit);
}
Updates

Appeal created

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

`LiquidityAdded` event has parameters out of order

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.