RebateFi Hook

First Flight #53

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Misleading `TokensWithdrawn` Event Data due to Parameter Swap

howiecht

Misleading `TokensWithdrawn` Event Data due to Parameter Swap

Description

The TokensWithdrawn event is intended to signal the withdrawal of a specific token to a designated to address with a certain amount.
However, within the withdrawTokens function, the parameters token (the ERC20 token address being withdrawn) and to (the recipient address) are swapped when emitting the TokensWithdrawn event. This leads to incorrect and misleading on-chain event data.

function withdrawTokens(address token, address to, uint256 amount) external onlyOwner {

IERC20(token).transfer(to, amount);

@> emit TokensWithdrawn(to, token, amount);

//@audit should be TokensWithdrawn(token, to, amount)

}

Risk

Likelihood:

This logical error occurs every time the withdrawTokens function is successfully called by the contract owner.

Impact:

The primary impact is the corruption of on-chain event data but no users or protocol fund loss.

Proof of Concept

Running the existing test test_WithdrawTokens_Success confirms this. The trace shows the event being emitted with the token and to parameters reversed relative to their intended meaning in the withdrawTokens function and the event definition:

│ ├─ emit TokensWithdrawn(token: TestReFiSwapRebateHook: [0x7FA9385bE102ac3EAc297483Dd6233D62b3e1496], to: MockERC20: [0x212224D2F2d262cd093eE13240ca4873fcCBbA3C], amount: 500000000000000000 [5e17])

Recommended Mitigation

function withdrawTokens(address token, address to, uint256 amount) external onlyOwner {

IERC20(token).transfer(to, amount);

- emit TokensWithdrawn(to, token, amount);

+ emit TokensWithdrawn(token, to, amount)

}

Updates

Lead Judging Commences

chaossr Lead Judge 11 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Swapped token and to parameters in TokensWithdrawn event.

Rewards breakdown

nSLOC

150

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!

RebateFi Hook

Misleading `TokensWithdrawn` Event Data due to Parameter Swap

Misleading TokensWithdrawn Event Data due to Parameter Swap

Description

Risk

Proof of Concept

Recommended Mitigation

Lead Judging Commences

Swapped token and to parameters in TokensWithdrawn event.

Rewards breakdown

Live

Judging

Appeals

Appeals Review

Rewards Distribution

FAQs

Misleading `TokensWithdrawn` Event Data due to Parameter Swap