BriVault
First Flight #52
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

`deposit` function may emit inaccurate events.

minos

deposit function may emit inaccurate events.

Description

  • When a user calls the deposit function, the event emit deposited will always be emitted.

  • However, due to incomplete parameters in the event, off-chain monitoring may be inaccurate.

function deposit(uint256 assets, address receiver) public override returns (uint256) {
// Original code ...
@> emit deposited (receiver, stakeAsset);
// Original code ...
}

Risk

Likelihood:

  • This will definitely occur when the depositor and the share receiver are not the same address.

Impact:

  • When the depositor and the share receiver are not the same address, off-chain systems cannot identify the "actual depositor".

Proof of Concept

  • After adding the following function to test/BriVaultTest.t.sol, run forge test --mt test__deposit_whenCallerNotEqualReceiver -vv

function test__deposit_whenCallerNotEqualReceiver() public {
vm.recordLogs();
vm.startPrank(user1);
mockToken.approve(address(briVault), 20 ether);
// user1 deposits funds into the vault, but the address receiving the shares is user2
briVault.deposit(20 ether, user2);
vm.stopPrank();
Vm.Log[] memory logs = vm.getRecordedLogs();
// Check logs
address depositor = address(0);
for (uint i=0; i<logs.length; i++) {
if (logs[i].topics[0] == keccak256("deposited(address,uint256)")) {
depositor = address(uint160(uint256(logs[i].topics[1])));
break;
}
}
vm.assertTrue(depositor != address(0));
vm.assertTrue(user1 != depositor);
}

  • The console output is as follows:

Ran 1 test for test/briVault.t.sol:BriVaultTest
[PASS] test__deposit_whenCallerNotEqualReceiver() (gas: 178469)
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 2.20ms (234.60µs CPU time)

Recommended Mitigation

  • Follow the ERC4626 standard practice by including complete parameters in the event, properly defining "sender" and "owner".

- event deposited (address indexed _depositor, uint256 _value);
+ event deposited (address indexed _sender, address indexed _depositor, uint256 _value);
function deposit(uint256 assets, address receiver) public override returns (uint256) {
// Original code ...
- emit deposited (receiver, stakeAsset);
+ emit deposited (msg.sender, receiver, stakeAsset);
// Original code ...
}
Updates

Appeal created

bube Lead Judge 20 days ago
Submission Judgement Published
Validated
Assigned finding tags:

`deposit` function uses in the event the receiver address instead the depositor

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!