Summary

The addTreat function allows the contract owner to add a new treat with a name, rate, and metadata URI. However, there is a naming mismatch between the emit statement and the TreatAdded event definition. The emit statement uses _rate, but the event defines a cost parameter instead. This inconsistency can cause confusion for developers, auditors, or tools that rely on event logs for tracking treat data.

Vulnerability Details

The event TreatAdded defines a cost parameter, but the emit statement in addTreat emits _rate as the second argument. This inconsistency between the names can lead to confusion for developers and users who expect the cost to match what is being emitted as the rate.

Problem:

• Mismatch Between Event and Emission: The event defines cost, but the function emits _rate. This inconsistency could cause misunderstandings when external users or tools read and track events.

  Line Highlight:

  event TreatAdded(string name, uint256 cost, string metadataURI); // Defined with 'cost'

Impact

The naming inconsistency between rate and cost could lead to confusion or errors for developers who rely on event logs for tracking treat-related data.

Data Inconsistency: Misinterpreting rate as cost can lead to incorrect assumptions or data interpretation regarding the value of the treats.

Tools Used

Manual Review

Recommendations

Ensure Consistent Naming: To resolve this issue, align the parameter names between the emit statement and the event declaration. Use rate consistently.

Corrected Code: