Incorrect event emission in `LendingPool::_rebalanceLiquidity`
Summary
The LendingPool::_rebalanceLiquidity function emits an incorrect event parameter.
Vulnerability Details
The LendingPool::_rebalanceLiquidity is called upon borrow, withdraw and deposit to ensure the desired buffer is maintained by either depositing excess to the vault or withdrawing the shortfall from the vault.
However, the event emitted at the end can be fairly determined as incorrect, rationale for the same:-
The
totalVaultDepositsemitted here is the updated value on the contrast thecurrentBufferis the old value and not the actualdesiredBuffer.It is impossible to predict from the event whether the liquidity re-balance involved depositing into the vault or withdrawing from the vault.
These observations conclude that the intended event could have shown desired buffer or the change made to the current buffer or a totalVaultDeposits before update happened.
Impact
The event emitted is incorrect / useless in terms of not being able to draw out any conclusion whether the excess was deposited or shortage was fulfilled or the current desired buffer.
Offchain mechanism would hallucinate with such data.
Tools Used
Manual Review
Recommendations
It is recommended to emit the desired buffer instead:
Lead Judging Commences
LendingPool::_rebalanceLiquidity emits an event with stale buffer
Invalidated by appeal in 1090
LendingPool::_rebalanceLiquidity emits an event with stale buffer
Invalidated by appeal in 1090
Appeal created
LendingPool::_rebalanceLiquidity emits an event with stale buffer
Invalidated by appeal in 1090
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.