Event Emitted Before External Call Violates CEI Pattern
Root + Impact
Description
-
The `Claimed` event is emitted before the token transfer, violating the Checks-Effects-Interactions (CEI) pattern. While `SafeERC20` should revert on failure, emitting events before external calls is a code smell and could lead to inconsistent state if the transfer somehow succeeds partially.
### Root + Impact
The event is emitted before the external token transfer, which goes against best practices for state changes and external calls.
```solidity
// src/MerkleAirdrop.sol:38-39
emit Claimed(account, amount);
i_airdropToken.safeTransfer(account, amount);
```
Following the CEI pattern, events should be emitted after all external calls complete successfully. While `SafeERC20.safeTransfer()` will revert on failure, emitting the event first creates a potential inconsistency if there are any edge cases or if the code is modified in the future.
Risk
Likelihood:
-
* The event is always emitted before the transfer
* While SafeERC20 should revert on failure, this violates best practices
* Future code modifications might not maintain the same safety guarantees
Impact:
-
* Event logs may show claims that didn't actually complete
* Violates security best practices (CEI pattern)
* Could cause confusion in event monitoring and indexing
* Minor risk if transfer somehow partially succeeds
Proof of Concept
Recommended Mitigation
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.