VaultAdded Event in OperatorVCS emits Operator Instead of Vault
Summary
In the current implementation, the VaultAdded event is designed to emit the operator instead of the actual vault address. This causes a discrepancy between the event's name and the data it emits. The VaultAdded event should be used to notify external observers (such as off-chain systems or third-party services) that a new vault has been added. However, by emitting the operator instead of the vault address, the event does not provide accurate information, leading to potential confusion and difficulties in tracking vault creation and addition.
Vulnerability Details
The event is emitting the operator (presumably the vault owner or an admin) instead of the vault address. This can cause inaccuracies in off-chain tracking of newly added vaults, as the emitted data does not correctly represent what is actually happening within the contract.
Impact
Incorrect Off-Chain Data Collection: Any external systems, such as dApps or blockchain explorers, that rely on event logs to track the addition of new vaults will receive incorrect information. Instead of being able to monitor new vault addresses, these systems will only be able to track the operators responsible for adding them, leading to significant operational issues for vault tracking.
Tools Used
Manual Review
Recommendations
Ensure that the vault address is emitted in the VaultAdded event rather than the operator. This will allow off-chain systems to correctly track new vaults and maintain accurate data.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.