Location: contracts/src/TreasureHunt.sol:44 (declaration), contracts/src/TreasureHunt.sol:107, 111 (emission)
The Claimed event is declared with a parameter named recipient, and every reader will treat the second indexed topic as the address that received the ETH reward. But inside claim() the emission passes msg.sender, which is the address that submitted the transaction not the address that received the ETH.
The declaration (line 44):
The claim function pays ETH to recipient (line 107) but emits msg.sender as the second topic (line 111):
Because the protocol design explicitly forbids recipient == msg.sender at line 86:
these two addresses are always different. Every Claimed event therefore records a different address from the one that received the ETH. There is no call path where the event is correct.
Likelihood: High. The bug fires on every successful claim. There is no edge case or special configuration needed to trigger it.
Impact: Medium. No funds are lost on-chain; the ETH transfer itself goes to the correct recipient. The damage is in the off-chain view of the system:
The test uses vm.expectEmit with topics (true, true, false, false) to assert that the event's second indexed topic equals attacker (the submitter). The test passes, proving the event really does emit the submitter, while recipient.balance increases by REWARD, proving the ETH went to the actual recipient.
Run:
The test passes, which means the contract's event layout disagrees with reality.
The simplest fix is to emit the actual recipient:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.