Missing Event Emission for Oracle Address Update
Summary
The setOracle function updates the oracle address but does not emit an event. This omission reduces transparency and makes it difficult to track changes in the oracle's address, which is critical for security and trust in price updates.
Vulnerability Details
The function setOracle allows the contract owner to update the oracle address:
However, no event is emitted when the oracle address changes. In security-sensitive contracts, it is best practice to emit an event when critical variables such as oracle addresses are updated. Without an event, off-chain services and users monitoring the contract cannot easily track these changes.
Code Reference
Impact
Lack of transparency: Users and external monitoring systems will not have an easy way to detect when the oracle address changes.
Potential security risk: If an unauthorized change is made, it may go unnoticed, leading to manipulation or misuse.
Best practice deviation: Fails to follow the common Solidity best practice of emitting events for critical state changes.
Tools Used
Manual code review
Recommendations
Emit an event whenever the oracle address is updated to ensure transparency and accountability.
Suggested Fix
Define an event:
Modify setOracle to emit the event:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.