SNARKeling Treasure Hunt
First Flight #59
Beginner FriendlyGameFiFoundry
100 EXP
View all submissions
Previous Next
Submission Details
Impact: low
Likelihood: high

L-01 Claim Event Emits Caller Instead of Actual Payout Recipient

Author Revealed upon completion

Description

The Claimed event is defined with an indexed recipient field, but the contract emits msg.sender instead of the actual payout recipient address.

This causes the event log to diverge from the real reward destination recorded in state transitions and ETH flow.

Risk

This issue does not directly cause fund loss, but it weakens observability and auditability:

  • off-chain monitoring may record the wrong recipient

  • analytics and indexing pipelines may misinterpret reward payouts

  • incident review and user support may rely on misleading event data

Proof of Concept

The event definition is:

event Claimed(bytes32 indexed treasureHash, address indexed recipient);

but the emitted value is:

emit Claimed(treasureHash, msg.sender);

If a caller submits a valid claim on behalf of a different recipient, the event logs the caller instead of the actual reward receiver.

Recommended Mitigation

Emit the real payout recipient instead of msg.sender.

diff --git a/contracts/src/TreasureHunt.sol b/contracts/src/TreasureHunt.sol
--- a/contracts/src/TreasureHunt.sol
+++ b/contracts/src/TreasureHunt.sol
@@ -108,7 +108,7 @@ contract TreasureHunt {
require(sent, "ETH_TRANSFER_FAILED");
- emit Claimed(treasureHash, msg.sender);
+ emit Claimed(treasureHash, recipient);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!