The `ReFiSwapRebateHook::withdrawTokens` function emits `TokensWithdrawn` event with wrong parameters order.
TokensWithdrawn event emitted with swapped parameters, indexers and frontends parse the wrong addresses (token vs recipient)
Description
-
The contract defines the
TokensWithdrawnevent with the standard and expected parameter order:
event TokensWithdrawn(address indexed token, address indexed to, uint256 amount); -
However, when emitting, the arguments are passed in reverse order (
to, token, amount). -
As a result, off-chain tools that rely on the event signature and ABI (The Graph, Dune, Etherscan, wallets, internal dashboards) will interpret the first indexed topic as the token address being the recipient, and the second as the token address — completely swapping the meaning.
Risk
Likelihood:
-
Every successful withdrawal by the owner triggers the incorrectly ordered event
-
All existing and future indexers already use the declared event ABI
Impact:
-
Analytics show withdrawals going to the token contract address and tokens being sent to the actual recipient
-
Monitoring alerts (e.g., “large withdrawal of USDC”) fire on the wrong address
-
Frontends and explorers display misleading or completely incorrect withdrawal data
-
Breaks compatibility with any tool that auto-parses this common event pattern
Proof of Concept
Event parameters should be in the defined order.
Recommended Mitigation
Change the event emission to the correct order: first the token address, then the to receiver address, and finally the amount.
Lead Judging Commences
Swapped token and to parameters in TokensWithdrawn event.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.