Lack of Event Emissions for Critical State Changes Leads to Poor On-Chain Observability
1. Summary
The LendingPool contract lacks event emissions for critical state-changing functions such as loan repayments, liquidations, and collateral deposits. This omission makes it difficult to track contract activities on-chain, affecting transparency, monitoring, and external integrations like indexers or analytics tools.
2. Vulnerability Details
Issue
Event emissions are missing in crucial functions responsible for:
Loan repayments (borrowers repaying loans)
Liquidations (liquidators seizing collateral)
Collateral deposits (users providing NFTs as collateral)
Without these events, users and external monitoring tools cannot efficiently track transactions and verify system integrity.
Code Snippet (Example of Missing Events)
Root Cause
The developers omitted event emissions in functions that modify critical contract states. Events should be used for on-chain transparency and easy tracking of activities by external tools.
4. Impact
On-Chain Monitoring Failure: External indexers like The Graph and security tools cannot track key operations.
Lack of Transparency: Users and auditors cannot easily verify state changes.
Harder Debugging: Developers and security researchers face difficulties in tracing transactions.
5. Tools Used
**6. Proof of Concept (PoC)
7. Mitigation
Emit events for all critical functions that modify the contract state.
Ensure all state-changing functions such as
repayLoan(),liquidate(), anddepositCollateral()emit relevant events.Adopt best practices by logging structured data in events for easy on-chain indexing.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.