Line 111 emits the wrong address in the Claimed event:
The event records WHO SUBMITTED THE TRANSACTION, not WHO RECEIVED THE MONEY.
Real-world example:
Bob (bounty hunter) finds treasure and gets ZK proof
Proof is bound to Alice (his friend who physically found the treasure)
Bob submits the claim transaction
Alice receives 10 ETH
Current broken behavior:
Event emits: Claimed(treasureHash, bob)
Off-chain system records: "Bob claimed treasureHash and received 10 ETH"
Reality:
Bob never received anything
Alice received 10 ETH
Event is completely wrong
Likelihood:
Occurs on every claim() call where msg.sender != recipient
This is a supported use case — the function accepts a separate recipient parameter
Impact:
Off-chain indexing shows wrong recipient data
Subgraphs and APIs return incorrect information
Audit trails and legal/compliance records are false
Forensic analysis is unreliable
Cannot verify who actually got paid from event logs alone
This test proves the event emits the caller instead of the recipient.
When msg.sender and recipient are different addresses, the emitted
event records the caller — not the address that actually received the 10 ETH.
The fix is a single one-word change on line 111. Replace msg.sender
with recipient so the event records the address that actually received
the reward, not the address that submitted the transaction.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.