[L-01] TreasureHunt::claim incorrectly logs msg.sender in Claimed event
Root + Impact
Description
-
Events in Solidity are used by off-chain applications to track the state of the contract. The Claimed event is intended to track which treasure
was found and which address received the ETH reward -
The issue is that the event logs msg.sender (the caller of the function) as the winner, but the ETH is actually sent to the recipient address
provided in the arguments. The contract explicitly requires that recipient != msg.sender, meaning the event always logs the wrong address as
the beneficiary
Risk
Likelihood:
This occurs on every successful call to claim
Impact:
Data Inaccuracy: Off-chain indexers like The Graph or block explorers will display incorrect data, showing the "claimer" as someone who did not
actually receive the funds
Proof of Concept
The test uses vm.expectEmit to check the parameters of the emitted event. It confirms that the contract emits the event with the attacker address
(msg.sender) even though the reward went to victim1
Recommended Mitigation
Update the emit Claimed statement to use the recipient variable. This ensures the event accurately reflects the movement of funds on-chain
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.