Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Use of Event Emissions

hackz

Summary

The contract SablierFlow.sol does not emit events for critical state changes, leading to potential issues in tracking contract activities and interactions. This lack of event emissions can hinder transparency and observability.

Finding Description

In Solidity smart contracts, events serve as a critical mechanism for logging state changes and providing transparency for off-chain applications and users. The SablierFlow.sol contract lacks emissions for important actions such as fund transfers, withdrawals, or updates to key contract states.

This omission breaks the security guarantees related to auditability and transparency. Without events, external watchers and services (e.g., dApps, monitoring tools) cannot reliably track significant actions within the contract. Malicious actors could exploit this lack of visibility to manipulate contract behavior without any trace, potentially leading to disputes or loss of funds.

For instance, if a user withdraws funds without an accompanying event emission, external systems that rely on event tracking will not reflect this change, resulting in discrepancies in users' perceptions of their balances.

Vulnerability Details

Location: SablierFlow.sol
Affected Functions: All critical functions that change the contract's state but do not emit corresponding events (e.g., withdraw, transfer).

Impact

The lack of event emissions is assessed as Medium Severity. While it does not directly lead to a security breach, it undermines the transparency of the contract and can facilitate malicious behavior by obscuring transaction history. It is essential for users and external systems to have visibility into the contract's state changes to maintain trust and allow for accurate monitoring.

Proof of Concept

Consider a function within the contract that facilitates fund withdrawal without emitting an event:

function withdraw(uint256 amount) public {

// Logic for withdrawing funds

require(balances[msg.sender] >= amount, "Insufficient balance");

balances[msg.sender] -= amount;

// Missing event emission for withdrawal

}

If a user were to call this function, the transaction would succeed, but no event would be emitted to signal the withdrawal.

Recommendations

To address this vulnerability, the contract should emit events for all significant state changes. Here is an example of how to modify the withdraw function to include an event emission:

event Withdraw(address indexed user, uint256 amount);

function withdraw(uint256 amount) public {

require(balances[msg.sender] >= amount, "Insufficient balance");

balances[msg.sender] -= amount;

emit Withdraw(msg.sender, amount); // Emit event for transparency

}

Adding the Withdraw event allows external systems to track withdrawals effectively, enhancing the contract's auditability and user confidence.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.