No Event Emitted on ETH Withdrawal
Root + Impact
Description
-
Normal Behavior:
When ETH is withdrawn from the contract, an event should be emitted to record the withdrawal. This allows off-chain services, auditors, and users to track fund movements and monitor contract activity. Emitting events for critical actions is a best practice in smart contract development, as it improves transparency and accountability.Issue:
Thewithdraw(address target)function does not emit any event when ETH is withdrawn. As a result, there is no on-chain record of withdrawals, making it difficult to audit fund flows, monitor suspicious activity, or integrate with off-chain analytics and monitoring tools. This lack of transparency can hinder security reviews and user trust.
Risk
Likelihood:
Every withdrawal is missing an on-chain record, which can hinder transparency and auditing.
Impact:
While this does not affect contract logic or user funds directly, it reduces transparency and makes off-chain monitoring more difficult.
Proof of Concept
Whenever the owner calls, No event is emitted, so off-chain systems and users cannot track when or how much ETH was withdrawn, or to which address. This can make it difficult to detect unauthorized or suspicious withdrawals.
Recommended Mitigation
Emit an event whenever ETH is withdrawn from the contract. This event should include the recipient address and the amount withdrawn.
Lead Judging Commences
Missing events / Events not properly configured
Informational. This protocol doesn't rely on events to function, they are just nice to have, but not mandatory.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.