Storage Proofs
Curve
DeFiLayer 1Layer 2
14,723 OP
View results
Previous Next
Submission Details
Severity: low
Valid

Lack of Event Emission for Important Oracle State Changes

0xkimonic

Summary

The update_profit_max_unlock_time function in ScrvusdOracleV2.vy does not emit an event when updating a critical oracle parameter.

Vulnerability Details

While the update_price function emits a PriceUpdate event, there is no corresponding event for update_profit_max_unlock_time

@external
def update_profit_max_unlock_time(_profit_max_unlock_time: uint256, _block_number: uint256) -> bool:
access_control._check_role(UNLOCK_TIME_VERIFIER, msg.sender)
assert self.last_block_number <= _block_number, "Outdated"
self.last_block_number = _block_number
prev_value: uint256 = self.profit_max_unlock_time
self.profit_max_unlock_time = _profit_max_unlock_time
return prev_value != _profit_max_unlock_time

This makes it difficult to track changes to this parameter off-chain.

Impact

Lack of event emission reduces transparency and makes it harder for monitoring systems to track important state changes, potentially delaying the detection of issues.

Tools Used

Manual Review

Slither

Recommendations

Add an event for profit_max_unlock_time updates:

event UpdateProfitMaxUnlockTime:
old_value: uint256
new_value: uint256
block_number: uint256
Updates

Lead Judging Commences

0xnevi Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-missing-event-emission-profit_max_unlock_time

I believe low severity to be appropriate here, events could be used to be more explicit for the upcoming effects on price for changes in max unlock time, similar to as included in `update_price` with the `PriceUpdate` event

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.