Liquid Staking

Summary

Several functions across the contracts modify critical state variables without emitting events. This lack of transparency hinders off-chain monitoring and auditing, and can delay the detection of unauthorized or erroneous changes.

Vulnerability Details

Functions that change important state variables should emit events to notify off-chain systems and auditors. The following functions lack event emissions:

• In OperatorVCS:

  • setOperatorRewardPercentage

  • setFundFlowController

• In CommunityVCS:

  • setVaultDeploymentParams

• In VaultControllerStrategy:

  • setVaultImplementation

  • setMaxDepositSizeBP

For example, in OperatorVCS:

Without events, changes to critical parameters may go unnoticed by off-chain systems that rely on events to track contract state changes.

Impact

Impact

• Reduced Transparency: Lack of events makes it difficult for off-chain systems to detect and respond to state changes.

• Delayed Detection of Issues: Auditors and monitoring tools may not promptly identify unauthorized or erroneous changes.

• User Trust: Users may lose trust in the system due to lack of transparency.

Tools Used

Manual code review.

Recommendations

• Emit Events for All State Changes:

  • Add events for functions that modify critical state variables.

  • For example, emit an event FundFlowControllerUpdated(address newController) in setFundFlowController.

• Consistent Event Naming:

  • Use clear and consistent naming conventions for events.

  • Ensure events provide sufficient information about the changes.

• Update Existing Functions:

  • Review all functions that change state variables and add missing event emissions.

• Documentation:

  • Document the purpose of each event and the data it emits.

  • Encourage developers to use events as part of their coding standard.