Incorrect Event Parameter Ordering
Root + Impact
Description
The
TokensWithdrawnevent is defined as: event TokensWithdrawn(address indexed token, address indexed to, uint256 amount);. However, the emitted event uses reversed parameter order: emit TokensWithdrawn(to, token, amount);. This causes the token address and recipient address to be swapped in all emitted logs. This results in permanently incorrect event logs and breaks subgraphs, indexers, monitoring, and off-chain accounting tools that rely on the event structure. [here](https://github.com/CodeHawks-Contests/2025-11-rebatefi-hook/blob/add4b298d1246ad2f1df726216849c1c31f83065/src/RebateFiHook.sol#L75)
Risk
Likelihood:
This bug occurs on every execution of withdrawToken(). The incorrect logs will always be emitted unless fixed.
Impact:
It does not affect contract state, it significantly harms observability and transparency.
Proof of Concept
Recommended Mitigation
Update this line of code
Lead Judging Commences
Swapped token and to parameters in TokensWithdrawn event.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.