BriVault
First Flight #52
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

`deposit` emits the `receiver` as the depositor

darkfox

Description

The deposited event is intended to emit the address that deposited into the vault along with the amount deposited.

However, the deposit function currently emits the receiver address as the depositor instead of msg.sender.

@> event deposited (address indexed _depositor, uint256 _value);
function deposit(uint256 assets, address receiver) public override returns (uint256) {
require(receiver != address(0));
if (block.timestamp >= eventStartDate) {
revert eventStarted();
}
uint256 fee = _getParticipationFee(assets);
// charge on a percentage basis points
if (minimumAmount + fee > assets) {
revert lowFeeAndAmount();
}
uint256 stakeAsset = assets - fee;
stakedAsset[receiver] = stakeAsset;
uint256 participantShares = _convertToShares(stakeAsset);
@> IERC20(asset()).safeTransferFrom(msg.sender, participationFeeAddress, fee);
@> IERC20(asset()).safeTransferFrom(msg.sender, address(this), stakeAsset);
_mint(msg.sender, participantShares);
@> emit deposited (receiver, stakeAsset);
return participantShares;
}

Risk

Likelihood:

This occurs whenever a user calls deposit with receiver set to a different address.

Impact:

The emitted event data will be incorrect, potentially causing off-chain indexers to attribute deposits to the wrong address.

Recommended Mitigation

Emit msg.sender instead of receiver in the deposited event.

function deposit(uint256 assets, address receiver) public override returns (uint256) {
...
- emit deposited (receiver, stakeAsset);
+ emit deposited (msg.sender, stakeAsset);
return participantShares;
}
Updates

Appeal created

bube Lead Judge 19 days ago
Submission Judgement Published
Validated
Assigned finding tags:

`deposit` function uses in the event the receiver address instead the depositor

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!