Incorrect address emitted in Claimed event leads to misleading logs
The contract emits the Claimed event with msg.sender instead of the actual payout recipient, causing off-chain systems to misinterpret who received the reward.
Description
The contract emits the caller (
msg.sender) instead of the actual recipient:
Risk
Likelihood
Occurs on every successful
claim()
Impact
Off-chain systems (indexers, dashboards, analytics) record incorrect recipient
Breaks accounting, attribution, and monitoring
Can mislead users and auditors analyzing contract activity
Proof of Concept
Add this test
Recommended Mitigation
Lead Judging Commences
incorrect event parameter
The event is declared as event `Claimed(bytes32 indexed treasureHash, address indexed recipient);`, which clearly indicates that the second indexed field is meant to represent the reward recipient, but `claim()` emits `Claimed(treasureHash, msg.sender)` instead of `Claimed(treasureHash, recipient)`, even though the ETH transfer is sent to recipient and the proof itself is constructed around the public inputs (treasureHash, recipient). As a standalone finding, this is appropriately low severity because it is fundamentally an event/accounting inconsistency rather than a direct loss-of-funds issue: the core state transition and payout still follow the intended recipient, but off-chain consumers reading the event log will observe incorrect metadata about who was associated with the claim.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.