`Claimed` event logs `msg.sender` instead of the declared `recipient` field, misleading off-chain indexers
Scope: contracts/src/TreasureHunt.sol
Root + Impact
Description
The Claimed event is declared with an indexed recipient parameter:
…but inside claim() it is emitted with msg.sender in the
recipient slot:
Because the same function explicitly rejects recipient == msg.sender
(line 86, revert InvalidRecipient()), the emitted address is
guaranteed to differ from the actual ETH payout recipient for every
successful claim.
Risk
Likelihood: HIGH — every successful claim produces an incorrectly
labeled event.
Impact: LOW — the on-chain ETH transfer is unaffected; only
off-chain consumers (subgraphs, block explorers, payout dashboards,
user-facing UIs) attribute the treasure reward to the submitter
instead of the recipient.
Proof of Concept
Call
hunt.claim(proof, treasureHash, rcpt)frommsg.sender == alice
withrcpt = bob.ETH transfers to
bobas expected.The emitted
Claimedevent hastreasureHashas expected and
recipient = alice(wrong — should bebob).Any subgraph or explorer that wires
{treasureHash -> recipient}
from the event will show Alice as the payout target.
Recommended Mitigation
If both the submitter and the recipient are considered useful
off-chain, add a separate indexed submitter field:
Disclosure
This finding was identified and written up with the assistance of an
autonomous AI auditor (Anthropic Claude).
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.