Algo Ssstablecoinsss

AI First Flight #2

Beginner FriendlyDeFi

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

CollateralDeposited Event Missing Token Address Parameter

vikramgoutham289

Root + Impact

Root Cause: The CollateralDeposited event only includes the user address and amount, omitting which collateral token was deposited.

Impact: Off-chain indexers and monitoring systems cannot distinguish between WETH and WBTC deposits from event logs alone. This complicates analytics, portfolio tracking, and forensic analysis after incidents.

Description

Normal Behavior: Events should contain all relevant information for off-chain indexing and monitoring.

Issue: The CollateralDeposited event doesn't include which token was deposited, making it impossible to distinguish between WETH and WBTC deposits from event logs alone.

# dsc_engine.vy

event CollateralDeposited:

user: indexed(address)

amount: indexed(uint256)

# @> Missing: token address

Risk

Likelihood:LOW

Reason 1 : Every collateral deposit emits this incomplete event
Reason 2 : All off-chain systems processing deposits are affected

Impact:

Impact 1 : Reduced observability and monitoring capabilities
Impact 2 : Incomplete audit trails for security analysis

Proof of Concept

A user deposits 1 ETH followed by 0.5 WBTC. The events emitted are CollateralDeposited(user, 1e18) and CollateralDeposited(user, 5e7). From these events alone, an indexer cannot determine which deposit was ETH and which was WBTC without querying additional on-chain state.

def test_event_ambiguity():

# User deposits 1 ETH

engine.deposit_collateral(WETH, 1e18, sender=user)

# Event: CollateralDeposited(user, 1e18)

# User deposits 1 WBTC

engine.deposit_collateral(WBTC, 1e8, sender=user)

# Event: CollateralDeposited(user, 1e8)

# From events alone, we cannot tell which token was deposited

# We only see two deposits with different amounts

Recommended Mitigation

Add the token address as an indexed parameter to the event. Unindex the amount field since Ethereum allows only 3 indexed parameters, and the token address is more valuable for filtering queries.

# dsc_engine.vy

event CollateralDeposited:

user: indexed(address)

+ token: indexed(address)

- amount: indexed(uint256)

+ amount: uint256

@internal

def _deposit_collateral(token_collateral_address: address, amount_collateral: uint256):

# ...

- log CollateralDeposited(msg.sender, amount_collateral)

+ log CollateralDeposited(msg.sender, token_collateral_address, amount_collateral)

# ...

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 3 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!