Summary

The StrategyOp, StrategyArb, and StrategyMainnet contracts currently lack event emissions for critical state-changing actions, which impedes the ability to monitor and audit their operations effectively.

Vulnerability Details

The absence of events in these contracts means that key interactions are not recorded, including:

• Fund Deployments: No logs are generated when assets are deployed to the yield source via _deployFunds, making it impossible to track how much capital is being put to work.

• Claims and Swaps: The claimAndSwap function does not emit events to indicate the amounts claimed or the results of asset swaps, leading to a lack of visibility into the operations performed by keepers.

• Withdrawals: The _freeFunds function does not log withdrawals, leaving a gap in understanding the cash flow and status of funds within the contract.

Without events to document these critical actions, developers and auditors cannot easily track the contract's behavior or diagnose potential issues arising from failed operations or unexpected states.

Impact

• Lack of Transparency: Users and external parties have no means to verify and track fund movements, leading to reduced trust in the contract's operations.

• Difficulty in Auditing: The absence of events complicates the auditing process, making it harder to trace asset flows and understand the history of interactions within the contract.

• Increased Risk of Issues Going Undetected: Critical state changes may occur without any logged history, making it challenging to identify and resolve operational issues.

Tools Used

Manual Review

Recommendations

To improve transparency and accountability in the StrategyOp, StrategyArb, and StrategyMainnet contracts, it is recommended to implement event emissions for key functions, including:

• For Fund Deployments: Emit an event in the _deployFunds function, such as FundsDeposited(address indexed user, uint256 amount), to log capital being deployed.

• For Claims and Swaps: Add events in the claimAndSwap function, like AssetsClaimed(address indexed user, uint256 amountClaimed) and AssetsSwapped(address indexed user, uint256 amountIn, uint256 amountOut), to track the claim and swap actions performed by keepers.

• For Withdrawals: Include events in the _freeFunds function, such as FundsWithdrawn(address indexed user, uint256 amount), to document withdrawals made from the contract.

By implementing these event emissions, the contracts will enhance their operational transparency, facilitate easier monitoring and auditing, and provide a more robust foundation for tracking the flow of assets.