Event emission after external call in `MultiSigWallet::executeTransaction` can lead to missing or incorrect event logs
Description: The executeTransaction function emits the TransactionExecuted event after making an external call. If the external call triggers a revert in the recipient's fallback/receive function, the event will never be emitted, leading to inconsistent off-chain tracking.
Impact:
Off-chain systems (like front-ends, analytics, or monitoring tools) may miss successful transactions
Transaction history will be incomplete
Difficulty in tracking and auditing multisig wallet activity
Proof of Concept:
A transaction is approved and executed
The state is updated (
txn.executed = true)The external call is made but the receiving contract reverts
The function reverts due to
require(success)The event is never emitted, even though the transaction was marked as executed
The contract state and event logs are now out of sync
Recommended Mitigation: Move the event emission before the external call to ensure it's always emitted when a transaction is marked as executed:
This ensures that the event is always emitted when the transaction is marked as executed, maintaining consistency between contract state and event logs.
Appeal created
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.