Wrong value emitted `Claimed` event
Root + Impact
Description
The claim function emits
The recipient address is supposed to be emitted yet it emits the msg sender who is not allowed to be the recipient:
Risk
Likelihood: high
It will be emitted during every call to claim
Impact:
Offchain observers will be reading the wrong value thinking it's the recipient
Proof of Concept
Nil
Recommended Mitigation
Lead Judging Commences
incorrect event parameter
The event is declared as event `Claimed(bytes32 indexed treasureHash, address indexed recipient);`, which clearly indicates that the second indexed field is meant to represent the reward recipient, but `claim()` emits `Claimed(treasureHash, msg.sender)` instead of `Claimed(treasureHash, recipient)`, even though the ETH transfer is sent to recipient and the proof itself is constructed around the public inputs (treasureHash, recipient). As a standalone finding, this is appropriately low severity because it is fundamentally an event/accounting inconsistency rather than a direct loss-of-funds issue: the core state transition and payout still follow the intended recipient, but off-chain consumers reading the event log will observe incorrect metadata about who was associated with the claim.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.