RebateFi Hook

First Flight #53

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

TokensWithdrawn event parameters are emitted in the wrong order

s3mvl4d

Description

Events should be emitted with parameters in the exact order and types declared in the event definition, so off‑chain indexers and analytics (e.g., The Graph, dune scripts, monitoring bots) can reliably parse and attribute the fields (token, to, amount) to the correct values.
The TokensWithdrawn event is declared as (address token, address to, uint256 amount), but the emit statement swaps the first two arguments and emits (to, token, amount). This causes off‑chain systems to misinterpret the token and to fields, leading to incorrect attribution of withdrawals.

// Root cause in the codebase with @> marks to highlight the relevant section

event TokensWithdrawn(address indexed token, address indexed to, uint256 amount);

function withdrawTokens(address token, address to, uint256 amount) external onlyOwner {

IERC20(token).transfer(to, amount);

@> emit TokensWithdrawn(to, token , amount); // <-- wrong order: (to, token, amount) vs (token, to, amount)

}

Risk

Likelihood: High

Occurs every time the owner calls withdrawTokens (routine administrative operation).
Triggers consistently across all tokens and amounts; no edge case needed.

Impact: Low

Analytics and compliance errors: Indexers will record the recipient address as the token contract and vice versa, corrupting dashboards, auditing reports, and alert systems.
Operational confusion: Off‑chain monitoring that relies on token and to fields may alert on the wrong token or misreport who received funds, complicating incident response and treasury bookkeeping.

Proof of Concept

The following test will pass due to wrong ordering.

event TokensWithdrawn(address indexed token, address indexed to, uint256 amount);

function test_TokensWithdrawnEventWrongOrder() public {

uint256 amount = 1 ether;

reFiToken.transfer(address(rebateHook), amount);

vm.expectEmit(true, true, false, false);

emit ReFiSwapRebateHook.TokensWithdrawn(user1, address(reFiToken), amount);

rebateHook.withdrawTokens(address(reFiToken), user1, amount);

}

Recommended Mitigation

Emit parameters in the declared order:

function withdrawTokens(address token, address to, uint256 amount) external onlyOwner {

IERC20(token).transfer(to, amount);

- emit TokensWithdrawn(to, token , amount);

+ emit TokensWithdrawn(token, to, amount);

}

Updates

Lead Judging Commences

chaossr Lead Judge 12 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Swapped token and to parameters in TokensWithdrawn event.

Rewards breakdown

nSLOC

150

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!