Summary
Several critical state-changing functions across the application fail to emit events when key parameters or states are updated. This oversight reduces transparency, weakens auditability, and increases the risk of unauthorized changes going undetected. The absence of event emission violates standard best practices for smart contract development and could lead to operational, security, and compliance issues.
functions missing event emissions in: https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyArb.sol
setting the router:
https:
function setRouter(address _router) external onlyManagement {
router = _router;
underlying.safeApprove(router, type(uint256).max);
}
claiming and swapping:
https:
function claimAndSwap(uint256 _amountClaim, uint256 _minOut, IRamsesRouter.route[] calldata _path) external onlyKeepers {
transmuter.claim(_amountClaim, address(this));
uint256 balBefore = asset.balanceOf(address(this));
_swapUnderlyingToAsset(_amountClaim, _minOut, _path);
uint256 balAfter = asset.balanceOf(address(this));
require((balAfter - balBefore) >= _minOut, "Slippage too high");
transmuter.deposit(asset.balanceOf(address(this)), address(this));
}
functions missing event emissions in: https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyMainnet.sol
adding route:
https:
function addRoute(
address[11] calldata _route,
uint256[5][5] calldata _swapParams,
address[5] calldata _pools
) external onlyManagement {
routes[nRoutes] = _route;
swapParams[nRoutes] = _swapParams;
pools[nRoutes] = _pools;
nRoutes++;
}
claiming and swapping:
https:
function claimAndSwap(
uint256 _amountClaim,
uint256 _minOut,
uint256 _routeNumber
) external onlyKeepers {
transmuter.claim(_amountClaim, address(this));
uint256 balBefore = asset.balanceOf(address(this));
require(_minOut > _amountClaim, "minOut too low");
router.exchange(
routes[_routeNumber],
swapParams[_routeNumber],
_amountClaim,
_minOut,
pools[_routeNumber],
address(this)
);
uint256 balAfter = asset.balanceOf(address(this));
require((balAfter - balBefore) >= _minOut, "Slippage too high");
transmuter.deposit(asset.balanceOf(address(this)), address(this));
}
functions missing event emissions in: https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyOp.sol
setting the router:
https:
function setRouter(address _router) external onlyManagement {
router = _router;
underlying.safeApprove(router, type(uint256).max);
}
claim and swap:
https:
function claimAndSwap(uint256 _amountClaim, uint256 _minOut, IVeloRouter.route[] calldata _path ) external onlyKeepers {
transmuter.claim(_amountClaim, address(this));
uint256 balBefore = asset.balanceOf(address(this));
_swapUnderlyingToAsset(_amountClaim, _minOut, _path);
uint256 balAfter = asset.balanceOf(address(this));
require((balAfter - balBefore) >= _minOut, "Slippage too high");
transmuter.deposit(asset.balanceOf(address(this)), address(this));
}
Impact
HIGH - all major event emissions are missing and results in severe operational and security risks.
likelihood
HIGH - failed to log every time states changed as event does not exists.
Tools Used
manual analysis
Recommendations
NOTE : make sure to differentiate btw event names as files contains similar named functions.
1 - Define Events for Critical State Changes.
2 - Emit Events in State-Changing Functions.
