Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of Essential Event Emissions in StakingPool Contract

allengeorge

Summary:

The StakingPool contract fails to emit events for several critical operations, including strategy additions/removals, fee updates, and ownership changes. This omission significantly impairs the contract's transparency, auditability, and the ability of external systems to react to important state changes.

Vulnerability Details:

Smart contracts often interact with off-chain systems and other contracts. Events serve as an efficient, gas-friendly way to communicate important state changes and actions to these external systems. In the StakingPool contract, several crucial functions that alter the contract's state or configuration do not emit events, including:

  1. addStrategy

  2. removeStrategy

  3. reorderStrategies

  4. addFee

  5. updateFee

  6. setUnusedDepositLimit

  7. setPriorityPool

  8. setRebaseController

The absence of these events makes it difficult for external systems to track changes in the contract's configuration, potentially leading to synchronization issues and reduced transparency.

Impact:

  • Medium severity due to the loss of critical information and reduced contract transparency.

  • Systems may operate with outdated information, leading to incorrect decisions or actions.

  • Auditing contract activities becomes significantly more challenging and resource-intensive.

  • Users and integrators lack real-time notifications about important contract changes.

  • Reduced ability to create accurate historical records of contract administration.

Tools Used:

  • Manual code review

Recommendations:

  1. Implement events for all critical state-changing operations:

    contract StakingPool is StakingRewardsPool {
    // ... existing code ...
    event StrategyAdded(address indexed strategy);
    event StrategyRemoved(address indexed strategy);
    event StrategiesReordered(address[] newOrder);
    event FeeAdded(address indexed receiver, uint256 basisPoints);
    event FeeUpdated(address indexed receiver, uint256 basisPoints);
    event UnusedDepositLimitSet(uint256 newLimit);
    event PriorityPoolSet(address indexed newPriorityPool);
    event RebaseControllerSet(address indexed newRebaseController);
    function addStrategy(address _strategy) external onlyOwner {
    // ... existing code ...
    emit StrategyAdded(_strategy);
    }
    function removeStrategy(uint256 _index, bytes memory _strategyUpdateData, bytes calldata _strategyWithdrawalData) external onlyOwner {
    // ... existing code ...
    emit StrategyRemoved(strategies[_index]);
    }
    // Implement similar event emissions for other critical functions
    }

By implementing these recommendations, the StakingPool contract will provide much-needed transparency and enable real-time tracking of important contract changes. This will significantly enhance the contract's auditability, improve user trust, and allow for more efficient integration with external systems.

Similar Issue :

  1. OpenZeppelin

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

allengeorge Submitter
about 1 year ago
inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.