Submission Details
Impact:
Likelihood:
Incorrect address emitted in Claimed event leads to misleading logs
Author Revealed upon completion
The contract emits the Claimed event with msg.sender instead of the actual payout recipient, causing off-chain systems to misinterpret who received the reward.
Description
The contract emits the caller (
msg.sender) instead of the actual recipient:
event Claimed(bytes32 indexed treasureHash, address indexed recipient);
// ...
// @> Emits msg.sender instead of recipient
emit Claimed(treasureHash, msg.sender);
Risk
Likelihood
Occurs on every successful
claim()
Impact
Off-chain systems (indexers, dashboards, analytics) record incorrect recipient
Breaks accounting, attribution, and monitoring
Can mislead users and auditors analyzing contract activity
Proof of Concept
Add this test
function testClaimEventEmitsWrongRecipient() public {
(
bytes memory proof,
bytes32 treasureHash,
address payable recipient
) = _loadFixture();
vm.prank(participant);
vm.expectEmit(true, true, false, false);
// Expect recipient, but contract emits msg.sender instead
emit TreasureHunt.Claimed(treasureHash, recipient);
// This will FAIL because actual emitted value is msg.sender
hunt.claim(proof, treasureHash, recipient);
}
Recommended Mitigation
- emit Claimed(treasureHash, msg.sender);
+ emit Claimed(treasureHash, recipient);
Rewards breakdown
nSLOC
220This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.