SNARKeling Treasure Hunt
First Flight #59
Beginner FriendlyGameFiFoundry
100 EXP
View all submissions
Previous Next
Submission Details
Impact: low
Likelihood: high

Claimed event emits msg.sender instead of recipient

Author Revealed upon completion

Root + Impact: contracts/src/TreasureHunt.sol-> emit Claimed(treasureHash, msg.sender) emits the submitter instead of the reward recipient

Description

  • The reward goes to recipient but the event logs msg.sender. Off-chain indexers, explorers, and front-ends tracking reward recipients will display incorrect data.

(bool sent, ) = recipient.call{value: REWARD}("");
require(sent, "ETH_TRANSFER_FAILED");
// @> logs msg.sender but ETH was sent to recipient
// @> msg.sender == recipient is explicitly blocked, so this is always wrong
emit Claimed(treasureHash, msg.sender);

Risk

Likelihood:

  • Every successful claim() call emits the wrong address , this occurs 100% of the time since msg.sender == recipient is explicitly blocked by the InvalidRecipient check

  • Any off-chain system relying on the event receives incorrect data from the very first claim

Impact:

  • Block explorers, front-ends, and indexers display the submitter instead of the reward recipient, misleading all participants

  • Automated systems reading Claimed events to verify payouts always report the wrong recipient

Proof of Concept

1. Alice (msg.sender) calls claim(proof, treasureHash, Bob (recipient))
2. Bob receives 10 ETH
3. Event emits Claimed(treasureHash, Alice) instead of Claimed(treasureHash, Bob)
4. Any listener watching Claimed events records Alice as the reward recipient
5. Bob has no on-chain event proving he received the reward

Recommended Mitigation

- emit Claimed(treasureHash, msg.sender);
+ emit Claimed(treasureHash, recipient);

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!