Flow
Sablier
FoundryDeFi
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

No Events Emitted

hackz

Summary

The Batch contract does not emit any events after executing batch calls, which hinders monitoring and tracking of contract interactions.

Finding Description

The batch function in the Batch contract executes multiple delegate calls based on the provided calls array. However, the absence of event emissions means that users and developers have no way to verify that the batch call was successfully executed or to track its details post-execution. This lack of visibility can obscure the contract's activity and complicate debugging efforts.

Security Guarantees Affected:

  • Transparency: The contract fails to provide transparency regarding operations, which is crucial in decentralized environments. Without events, it's difficult to audit or trace the execution of batch calls.

Malicious Input Propagation: While this issue may not directly lead to a security vulnerability, it can be exploited in a situation where malicious actors want to manipulate the contract's state without leaving a trace. For example, if a user were to send a series of malicious calls, the absence of events would make it challenging to identify and respond to the attack.

Vulnerability Details

The lack of events makes it difficult to detect unauthorized changes or to audit the contract's usage. This is particularly critical in contracts that may interact with multiple parties or when transactions are high-value.

Impact

The inability to emit events leads to poor observability of contract behavior, which can result in undetected issues or malicious activities. It is essential in smart contracts to provide feedback on state changes, and without events, users have no clear insight into the operations being performed.

Proof of Concept

Below is a demonstration of how the absence of events impacts monitoring. In a normal situation, one would expect to see logs indicating the batch call's success. Without events, these logs are nonexistent, making it challenging to ascertain what operations have occurred.

function batch(bytes[] calldata calls) external {
uint256 count = calls.length;
for (uint256 i = 0; i < count; ++i) {
(bool success, bytes memory result) = address(this).delegatecall(calls[i]);
if (!success) {
revert Errors.BatchError(result);
}
}
// No events emitted
}

Recommendations

To resolve this issue, the contract should emit an event after successfully executing the batch calls. This can enhance transparency and monitoring capabilities.

Suggested Code Snippet

Here’s how you can modify the batch function to include an event emission:

  1. Define an event at the top of the contract:

    event BatchExecuted(uint256 indexed count);

  2. Emit the event after successfully executing all batch calls:

    function batch(bytes[] calldata calls) external {
    uint256 count = calls.length;
    require(count > 0, "No calls provided"); // Optional input validation
    require(count <= 100, "Too many calls"); // Optional limit on calls
    for (uint256 i = 0; i < count; ++i) {
    (bool success, bytes memory result) = address(this).delegatecall(calls[i]);
    if (!success) {
    revert Errors.BatchError(result.length > 0 ? result : "Unknown error");
    }
    }
    emit BatchExecuted(count); // Emitting event for transparency
    }

This modification will allow users to track when batch calls are made, improving the overall security and usability of the contract.

File Location

src/abstracts/Batch.sol

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.