Algo Ssstablecoinsss

AI First Flight #2

Beginner FriendlyDeFi

EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: high

Invalid

[M-05] CollateralDeposited Event Missing Token Address Information

rensley

Root + Impact

Description

The CollateralDeposited event only logs the user address and amount, but omits the crucial token address.
Since the protocol supports multiple collateral types (WETH and WBTC), off-chain systems and indexers cannot distinguish which token was deposited without parsing transaction input data. This makes tracking deposits by token type impossible using events alone.

// Root cause in the codebase with @> marks to highlight the relevant section

event CollateralDeposited:

user: indexed(address)

amount: indexed(uint256)

@> # Missing: token address!

# In _deposit_collateral:

log CollateralDeposited(msg.sender, amount_collateral) # No token info

```

Risk

Likelihood: High

Reason 1 // Every deposit is affected
Reason 2 // Standard practice to include all relevant data

Impact: Medium

Impact 1 // Off-chain indexers cannot track deposits by token
Impact 2 // Analytics dashboards are incomplete
Impact 3 // Debugging and auditing made difficult

Proof of Concept

The following demonstrates that events from WETH and WBTC deposits are indistinguishable. Any off-chain system relying on events alone cannot determine which collateral type was deposited.

def test_event_missing_token():

with boa.env.prank(user):

weth.approve(dsce, AMOUNT)

wbtc.approve(dsce, AMOUNT)

# Both deposits emit identical event structure

dsce.deposit_collateral(weth, AMOUNT)

dsce.deposit_collateral(wbtc, AMOUNT)

# Off-chain: Cannot tell which deposit was WETH vs WBTC

# Events only show: CollateralDeposited(user, AMOUNT)

Recommended Mitigation

Add the token address to the event to enable proper off-chain tracking. This is standard practice for protocols supporting multiple token types and is essential for proper indexing.

event CollateralDeposited:

+ token: indexed(address)

user: indexed(address)

amount: indexed(uint256)

@internal

def _deposit_collateral(

token_collateral_address: address, amount_collateral: uint256

# ...

- log CollateralDeposited(msg.sender, amount_collateral)

+ log CollateralDeposited(token_collateral_address, msg.sender, amount_collateral)

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!