RebateFi Hook
First Flight #53
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Wrong order of event parameters can cause confusion for external or off-chain services relying on it.

farnad

Root + Impact

Description

  • In the ReFiSwapRebateHook::withdrawTokens function, the order of the parameters of the TokensWithdrawn event is wrong.

  • Even though this function is only related to the owner, it can mislead the external or off-chain services which rely on it.

@> event TokensWithdrawn(address indexed token, address indexed to, uint256 amount);
.
.
.
function withdrawTokens(address token, address to, uint256 amount) external onlyOwner {
IERC20(token).transfer(to, amount);
@> emit TokensWithdrawn(to, token, amount);
}

Risk

Likelihood: High

  • It happens every time the owner calls the withdrawTokens function.

Impact: Low

  • It impacts the external services or parties which depend on it and expect to extract correct information out of it.

Proof of Concept

It is obvious by just looking at the order of parameters in the code. It is defined as (token, to, amount) but it is used as (to, token, amount).

event TokensWithdrawn(address indexed token, address indexed to, uint256 amount);
emit TokensWithdrawn(to, token, amount);

Recommended Mitigation

Please make the following change to solve the issue.

function withdrawTokens(address token, address to, uint256 amount) external onlyOwner {
IERC20(token).transfer(to, amount);
- emit TokensWithdrawn(to, token, amount);
+ emit TokensWithdrawn(token, to, amount);
}
Updates

Lead Judging Commences

chaossr Lead Judge 12 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Swapped token and to parameters in TokensWithdrawn event.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!