Submission Details
Severity:
Incorrect Event Parameter Order
Root + Impact
Description
The `TokensWithdrawn` event declaration and emission have mismatched parameter orders, causing off-chain systems to misinterpret event data.
// Event declared with parameters: (token, to, amount)
event TokensWithdrawn(address indexed token, address indexed to, uint256 amount);
// But emitted with parameters: (to, token, amount)
emit TokensWithdrawn(to, token, amount);
Risk
Impact:
-
Off-chain monitoring systems will misinterpret token withdrawal events
-
Indexed parameters will be incorrectly parsed
-
Event tracking and analytics will show wrong data
Proof of Concept
Add the following to `RebateFiHookTest.t.sol`
The test shows the event is emitted with parameters in the wrong order, which will cause off-chain systems to misinterpret the token and recipient addresses.
function test_TokensWithdrawnEventParameterOrder() public {
reFiToken.mint(address(rebateHook), 100 ether);
vm.expectEmit(true, true, false, true);
// Expected: (token, to, amount) but actual: (to, token, amount)
emit ReFiSwapRebateHook.TokensWithdrawn(address(this), address(reFiToken), 100 ether);
rebateHook.withdrawTokens(address(reFiToken), address(this), 100 ether);
}
Recommended Mitigation
function withdrawTokens(address token, address to, uint256 amount) external onlyOwner {
IERC20(token).transfer(to, amount);
- emit TokensWithdrawn(to, token, amount);
+ emit TokensWithdrawn(token, to, amount);
}
Updates
Lead Judging Commences
chaossr 8 days ago
Submission Judgement Published Assigned finding tags:
Swapped token and to parameters in TokensWithdrawn event.
Rewards breakdown
nSLOC
150This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.