Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of event emission

mustaphaabdulaziz00

Summary

https://github.com/Cyfrin/2025-01-diva/blob/5b7473c13adf54a4cd1fd6b0f37ab6529c4487dc/contracts/src/AaveDIVAWrapper.sol#L21

https://github.com/Cyfrin/2025-01-diva/blob/5b7473c13adf54a4cd1fd6b0f37ab6529c4487dc/contracts/src/AaveDIVAWrapper.sol#L37

The AaveDIVAWrapper contract lacks sufficient event emissions for critical state-modifying functions. This deficiency can hinder transparency, auditing, and real-time monitoring, making it difficult for stakeholders to detect and respond to significant operations or anomalies.

Vulnerability Details

No Event Emission for Key Functions:

Several state-modifying functions, such as registerCollateralToken, addLiquidity, removeLiquidity, redeemPositionToken, and claimYield, do not emit events after successful execution.

Batch operations like batchRegisterCollateralToken and batchAddLiquidity also lack event emissions, leaving no trace of the changes they apply.

Transparency Issues:

Without events, it becomes challenging to track the flow of funds, detect unauthorized operations, or debug unexpected behavior.

**Operational Risks:**Failure to emit events means external applications (like monitoring dashboards or off-chain systems) cannot easily track or respond to important operations.

Impact

Reduced Traceability: The absence of events makes it difficult to trace historical actions, potentially complicating audits and investigations into suspicious activity.

Monitoring Challenges: Real-time monitoring tools relying on event logs cannot detect or act upon contract operations.

Compliance Risks: Inadequate event emission may lead to compliance challenges, especially in systems requiring extensive logging and audit trails.

Tools Used

Manual

Recommendations

Add Event Definitions:

Define events for all significant state-modifying operations. For example:

event CollateralTokenRegistered(address indexed collateralToken, address indexed wToken);

event LiquidityAdded(bytes32 indexed poolId, uint256 collateralAmount, address indexed longRecipient, address indexed shortRecipient);

event LiquidityRemoved(bytes32 indexed poolId, uint256 positionTokenAmount, address indexed recipient, uint256 collateralReturned);

event PositionTokenRedeemed(address indexed positionToken, uint256 amount, address indexed recipient);

event YieldClaimed(address indexed collateralToken, uint256 yieldAmount, address indexed recipient);

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.