Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of Event Emission for `supply()` and `withdraw()`

futhmah456

Summary

The supply() and withdraw() functions in contract IAave.sol modify user balances but do not emit events. In Solidity best practices, functions that change balances should emit events to improve traceability and security.

Vulnerability Details

Impact

  • Lack of emitted events makes it harder for off-chain services to track deposits and withdrawals.

  • Security monitoring tools rely on events to detect anomalies.

  • Debugging and auditing are more difficult.

Proof of Concept (PoC)

While this issue is in an interface, any contract implementing IAave must manually emit events. Consider the following example of a possible vulnerable implementation:

contract AaveImplementation is IAave {
mapping(address => uint256) public balances;
function supply(address asset, uint256 amount, address onBehalfOf, uint16 referralCode) external override {
// Supply logic...
balances[onBehalfOf] += amount;
// No event is emitted here, making tracking difficult
}
}

Mitigation

Update the interface to include event declarations:

event Supplied(address indexed asset, uint256 amount, address indexed onBehalfOf, uint16 referralCode);
event Withdrawn(address indexed asset, uint256 amount, address indexed to);

Then, implementations must emit these events:

function supply(address asset, uint256 amount, address onBehalfOf, uint16 referralCode) external override {
// Supply logic...
balances[onBehalfOf] += amount;
emit Supplied(asset, amount, onBehalfOf, referralCode);
}

Tools Used

Manual code review

Recommendations

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.