Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Emission of ValueUpdated Event in TimeWeightedAverage::updateValue: Impaired Auditability and Monitoring

theirrationalone

Summary

The TimeWeightedAverage::updateValue function is designed to update a period’s accumulated data by computing a time-weighted value over the elapsed duration. This involves the calculation:

Time Weighted Sum = (Value * Weight) * Duration

and, ultimately, the time weighted average is given by:

Time Weighted Average = Time Weighted Sum / Total Duration

In the current implementation, although an event—ValueUpdated(uint256 timestamp, uint256 oldValue, uint256 newValue) exists in the contract to notify about changes in values, the updateValue function does not emit this event (or a similar one) upon updating the period's state. This lack of event emission hinders off-chain monitoring, auditing, and debugging, which are essential for transparency and operational integrity in decentralized systems.

Vulnerability Details

Affected Function: TimeWeightedAverage::updateValue

Below is the complete definition of the function with the critical lines highlighted:

function updateValue(Period storage self, uint256 newValue, uint256 timestamp) internal {
if (timestamp < self.startTime || timestamp > self.endTime) {
revert InvalidTime();
}
unchecked {
uint256 duration = timestamp - self.lastUpdateTime;
if (duration > 0) {
uint256 timeWeightedValue = self.value * duration; // Intended: (self.value * self.weight * duration)
if (timeWeightedValue / duration != self.value) revert ValueOverflow();
self.weightedSum += timeWeightedValue;
self.totalDuration += duration;
}
}
uint256 oldValue = self.value;
self.value = newValue;
self.lastUpdateTime = timestamp;
// MISSING EVENT EMISSION:
// The contract already defines:
// event ValueUpdated(uint256 timestamp, uint256 oldValue, uint256 newValue);
// This event should be emitted here to signal that the period's value has been updated.
// For example:
// emit ValueUpdated(timestamp, oldValue, newValue);
}

Key Issues:

  • No Event Emission:
    Despite the existence of the ValueUpdated event, the function fails to emit it upon updating the period's value. This omission results in an absence of on-chain logs that can confirm the update operation.

  • Auditability and Monitoring Impact:
    Without the event emission, off-chain monitoring services, decentralized applications, and auditors cannot trace the updates or verify that the update process is functioning as intended. This lack of transparency can lead to difficulties in detecting anomalies or troubleshooting issues in the protocol.

Proof of Concept

Scenario Walkthrough

  1. Initial Setup:

    • A period is created with the following parameters:

      • startTime = 0

      • endTime = 10

      • value = 10

      • weight = 2.5 (as provided externally, used in other computations)

    • Initially, weightedSum = 0 and totalDuration = 0.

  2. Triggering an Update:

    • At timestamp = 5, the system calls updateValue with newValue = 15.

    • The function calculates the elapsed duration:

      duration = 5 - lastUpdateTime = 5 - 0 = 5

    • It then computes the time weighted value (here, note that weight is not applied, but our focus is on event emission):

      timeWeightedValue = 10 * 5 = 50

    • The weightedSum is updated to 50 and totalDuration to 5.

    • The period’s value is updated to 15, and lastUpdateTime becomes 5.

    • Expected Behavior:
      The function should emit:

      emit ValueUpdated(5, 10, 15);

    • Actual Behavior:
      No event is emitted. Off-chain systems monitoring the blockchain remain unaware of this update, and any audit logs will lack this critical information.

Impact

  • Short-Term Impact:

    • Monitoring Gap: Immediate lack of visibility into updates, leading to potential blind spots in real-time monitoring.

    • Debugging Difficulties: Developers and auditors cannot track state changes, making it harder to diagnose issues when anomalies occur.

  • Long-Term Impact:

    • Audit Trail Incompleteness: Over time, the absence of event logs creates gaps in historical records, complicating post-mortem analyses and forensic investigations.

    • Increased Risk of Exploitation: Without proper logging, malicious activities might go undetected, as abnormal state changes may be hidden.

    • Erosion of Trust: Consistent failure to log critical updates can lead to diminished confidence among users and stakeholders in the system’s transparency and reliability.

Tools Used

  • Manual Review

Recommendations

The following diff illustrates the recommended changes to incorporate the emission of the ValueUpdated event in the updateValue function.

Diff for updateValue Function

function updateValue(Period storage self, uint256 newValue, uint256 timestamp) internal {
if (timestamp < self.startTime || timestamp > self.endTime) {
revert InvalidTime();
}
unchecked {
uint256 duration = timestamp - self.lastUpdateTime;
if (duration > 0) {
uint256 timeWeightedValue = self.value * duration; // Note: consider incorporating weight if required elsewhere.
if (timeWeightedValue / duration != self.value) revert ValueOverflow();
self.weightedSum += timeWeightedValue;
self.totalDuration += duration;
}
}
- self.value = newValue;
- self.lastUpdateTime = timestamp;
+ uint256 oldValue = self.value;
+ self.value = newValue;
+ self.lastUpdateTime = timestamp;
+ emit ValueUpdated(timestamp, oldValue, newValue);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

theirrationalone Submitter
4 months ago
inallhonesty Lead Judge
4 months ago
inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.