Missing Event Emission in Critical Functions Leading to Reduced Transparency and Off-Chain Tracking Issues
Summary
The lack of event emission in critical functions impairs real-time tracking, increases reliance on expensive state reads, and reduces transparency in contract operations. This can make it challenging for users, developers, and auditors to verify contract behavior.
Description
Several functions within the contract modify critical state variables without emitting corresponding events. The affected functions include:
registerCollateralToken
createContingentPool
addLiquidity
removeLiquidity
redeemPositionToken
redeemWToken
In Solidity-based smart contracts, events play a crucial role in facilitating off-chain tracking and ensuring transparency. Without event emissions, external applications, indexers, and auditors face difficulty in monitoring contract state changes, potentially leading to inefficiencies or security risks.
Vulnerability Details
Lack of Event Emission for Critical State Modifications
Affected Functions
The following functions modify the contract state but do not emit corresponding events:
registerCollateralToken(address _collateralToken)
createContingentPool(PoolParams calldata _poolParams)
addLiquidity(bytes32 _poolId, uint256 _collateralAmount, address _longRecipient, address _shortRecipient)
removeLiquidity(bytes32 _poolId, uint256 _positionTokenAmount, address _recipient)
redeemPositionToken(address _positionToken, uint256 _positionTokenAmount, address _recipient)
redeemWToken(address _wToken, uint256 _wTokenAmount, address _recipient)
These functions modify important state variables such as the user's liquidity, collateral tokens, and pool parameters. However, they do not emit events that would inform external users or applications of the state change.
##Root Cause The root cause of this vulnerability is the absence of event emissions in critical functions that modify contract state. Events in Solidity are used to log important state changes and interactions, allowing off-chain services (like DApps, monitoring services, and explorers) to efficiently track contract activity. Without emitting events, these functions lack a way to signal external observers that a significant change has occurred.
https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapper.sol#L37
https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapper.sol#L49
https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapper.sol#L21
Impact
Transparency Issues: Users and external observers cannot efficiently track state changes.
Inefficient Off-Chain Indexing: DApps and monitoring tools cannot reliably detect actions without continuously querying the blockchain.
Security & Debugging Challenges: Auditors and developers face difficulties when tracing transactions to identify issues or anomalies.
##PoC
Consider the function addLiquidity:
This function updates a user's liquidity but does not emit an event. Without an event, external applications must manually call liquidity(msg.sender) to track changes, which is inefficient and costly.
Tools Used
Recommendations
To enhance transparency, each function should emit an event upon execution. For example, modifying addLiquidity as follows:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.