Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

No Event Emitted When `Host` Calls `withdraw()`

kobbyeugene

Summary

The withdraw() function, which allows the host to withdraw all ERC20 tokens (WETH, WBTC, USDC), does not emit any events to track these significant state changes.

Vulnerability Details

// @audit no event emitted when the tokens are withdrawn by host
function withdraw() external onlyHost {
address _host = getHost();
i_WETH.safeTransfer(_host, i_WETH.balanceOf(address(this)));
i_WBTC.safeTransfer(_host, i_WBTC.balanceOf(address(this)));
i_USDC.safeTransfer(_host, i_USDC.balanceOf(address(this)));
}

The function performs three significant token transfers but fails to emit any events. This lack of transparency makes it difficult for:

  • Users to track when and how much the host withdrew

  • Off-chain systems to monitor withdrawals

  • Auditors to trace the flow of funds

  • DApps to react to withdrawal events

Impact

While this doesn't directly affect the security of the funds, it significantly reduces transparency and makes it harder to track the contract's activity. This could:

  • Reduce user trust

  • Complicate integration with other systems

  • Make auditing more difficult

  • Prevent proper monitoring of host activities

Tools Used

Manual review

Recommendations

Add an event definition for withdrawals:

event TokensWithdrawn(
address indexed host,
uint256 wethAmount,
uint256 wbtcAmount,
uint256 usdcAmount
);

Modify the withdraw function to emit the event:

function withdraw() external onlyHost {
....
emit TokensWithdrawn(_host, wethAmount, wbtcAmount, usdcAmount);
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!