Submission Details
Severity:
Event Parameter Order Mismatch in `withdrawTokens`
Description:
The parameters given to emit TokensWithdrawn() are swapped; the event expects (token, to, amount) but the function emits (to, token, amount).
Impact:
Off-chain apps, indexers, and dashboards will interpret events incorrectly.
Proof of Concept:
event TokensWithdrawn(address indexed token, address indexed to, uint256 amount);
function test_TokensWithdrawn_EventArgumentsSwapped() public {
// Send some ReFi tokens to the hook
uint256 transferAmount = 1 ether;
reFiToken.transfer(address(rebateHook), transferAmount);
uint256 withdrawAmount = 0.5 ether;
// Because the hook emits TokensWithdrawn(to, token, amount),
// we must expect the first indexed argument to be `user1`
// and the second to be `address(reFiToken)` in order for
// expectEmit to pass.
vm.expectEmit(true, true, false, true, address(rebateHook));
emit TokensWithdrawn(user1, address(reFiToken), withdrawAmount);
rebateHook.withdrawTokens(address(reFiToken), user1, withdrawAmount);
}
Result: event logs appear with the wrong addresses indexed.
Mitigation:
Change the emission to match the event definition:
- emit TokensWithdrawn(to, token , amount);
+ emit TokensWithdrawn(token, to, amount);
Updates
Lead Judging Commences
chaossr 11 days ago
Submission Judgement Published Assigned finding tags:
Swapped token and to parameters in TokensWithdrawn event.
Rewards breakdown
nSLOC
150This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.