Submission Details
Severity:
Event Parameter Order Mismatch in `withdrawTokens`
Root + Impact
Description
-
Describe the normal behavior in one or more sentences
-
Explain the specific issue or problem in one or more sentences
The `TokensWithdrawn` event is emitted with parameters in the wrong order compared to its declaration, causing incorrect event indexing and potential issues with off-chain monitoring.
**Description**:
* The normal behavior expects events to be emitted with parameters in the same order as declared in the event definition for proper indexing and off-chain parsing.
* The specific issue is that `withdrawTokens` emits the event with `(to, token, amount)` but the event is declared as `TokensWithdrawn(address indexed token, address indexed to, uint256 amount)`, causing the token and recipient addresses to be swapped in the event logs.
**Root cause in the codebase**:
```solidity
// @> src/RebateFiHook.sol:44
event TokensWithdrawn(address indexed token, address indexed to, uint256 amount);
// @> src/RebateFiHook.sol:73-75
function withdrawTokens(address token, address to, uint256 amount) external onlyOwner {
IERC20(token).transfer(to, amount);
emit TokensWithdrawn(to, token , amount); // Wrong order!
}
```
Risk
Likelihood:
-
* This occurs on every call to `withdrawTokens`
* The mismatch is deterministic and always produces incorrect event data
Impact:
-
* Off-chain monitoring systems will incorrectly identify which token was withdrawn and to which address
* Event indexing will be wrong, making it difficult to track token withdrawals
* Analytics and compliance tools relying on events will have incorrect data
Proof of Concept
The following demonstrates how the parameter mismatch causes incorrect event indexing:
```solidity
// Event declaration (correct order):
event TokensWithdrawn(
address indexed token, // First indexed parameter
address indexed to, // Second indexed parameter
uint256 amount
);
// Current buggy implementation:
function withdrawTokens(address token, address to, uint256 amount) external onlyOwner {
IERC20(token).transfer(to, amount);
emit TokensWithdrawn(to, token, amount); // WRONG ORDER!
}
// Example execution:
address reFiToken = 0x1234...;
address recipient = 0x5678...;
uint256 amount = 100 ether;
rebateHook.withdrawTokens(reFiToken, recipient, amount);
// Event emitted with wrong order:
// TokensWithdrawn(0x5678..., 0x1234..., 100 ether)
// ^^^^^^^^ ^^^^^^^^
// to token (swapped!)
// Off-chain query impact:
// Query: "Get all withdrawals of token 0x1234..."
// Expected: Finds withdrawals where token = 0x1234...
// Actual: Finds withdrawals where recipient = 0x1234... (WRONG!)
// Result: Monitoring systems cannot track token withdrawals correctly
```
**Step-by-step execution:**
1. Owner calls `withdrawTokens(0x1234..., 0x5678..., 100 ether)`
2. Transfer executes successfully
3. Event emitted with parameters: `(0x5678..., 0x1234..., 100 ether)`
4. Event log stores: `token = 0x5678...` (should be `0x1234...`)
5. Event log stores: `to = 0x1234...` (should be `0x5678...`)
6. Off-chain system queries: "All withdrawals of token 0x1234..."
7. Query searches indexed `token` field, finds `0x5678...` (wrong!)
8. System cannot find the actual withdrawal, data integrity compromised
Recommended Mitigation
Fix the parameter order to match the event declaration:
```diff
// src/RebateFiHook.sol:73-75
function withdrawTokens(address token, address to, uint256 amount) external onlyOwner {
IERC20(token).transfer(to, amount);
- emit TokensWithdrawn(to, token , amount);
+ emit TokensWithdrawn(token, to, amount);
}
```
**Explanation:**
- Event declaration: `TokensWithdrawn(address indexed token, address indexed to, uint256 amount)`
- Parameters must be emitted in the same order: `(token, to, amount)`
- This ensures proper event indexing for off-chain monitoring systems
- Indexed parameters allow efficient filtering by token address or recipient address
- Correct order enables accurate analytics and compliance tracking
Updates
Lead Judging Commences
chaossr 11 days ago
Submission Judgement Published Assigned finding tags:
Swapped token and to parameters in TokensWithdrawn event.
Rewards breakdown
nSLOC
150This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.