Algo Ssstablecoinsss

AI First Flight #2

Beginner FriendlyDeFi

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: high

Invalid

L01. Missing token address in CollateralDeposited event

adcdiii

Root + Impact

Description

Normal behavior: Deposit and redeem events should allow off‑chain indexers and analytics systems to reconstruct each user’s collateral position per token over time using event logs alone.
Issue: The CollateralDeposited event omits the token address, so downstream consumers cannot determine which collateral asset was deposited, breaking accounting for multi‑collateral setups.

// dsc_engine.vy (current)

event CollateralDeposited:

user: indexed(address)

amount: indexed(uint256)

# @> missing token: indexed(address)

# emitted as:

log CollateralDeposited(user, amount)

Risk

Likelihood:

Reason 1 // Off‑chain infrastructure such as dashboards, alerting systems, and accounting tools commonly rely on events instead of reading full on‑chain state.
Reason 2 // The protocol already supports multiple collateral types, making token identification via events essential rather than optional.

Impact:

Impact 1 // Indexers cannot reconstruct accurate collateral balances per token, leading to incorrect health factor displays and risk metrics in external tools.
Impact 2 // Operators and users lose observability into which assets back the system, reducing transparency and complicating incident response or forensic analysis.

Proof of Concept

When two different collateral tokens are supported, deposits appear indistinguishable in logs:

Protocol supports both WETH and WBTC as collateral.
User A deposits 1 WETH; User B deposits 1 WBTC.
Off‑chain indexer consumes CollateralDeposited(user, amount) events without a token field.
Both deposits appear as amount = 1e18 from different users but cannot be mapped to WETH vs WBTC, making any per‑asset breakdown impossible.

function testEventsCannotDistinguishCollateralToken() public {

address userA = makeAddr("userA");

address userB = makeAddr("userB");

// userA deposits WETH, userB deposits WBTC

// listen to emitted CollateralDeposited events

// @> observed events share the same signature and indexed fields for `amount`

// without a token address, off‑chain code cannot tell which asset was used

}

Recommended Mitigation

Extend the CollateralDeposited event to include the collateral token address and update emit sites accordingly.

// dsc_engine.vy (conceptual diff)

-event CollateralDeposited:

- user: indexed(address)

- amount: indexed(uint256)

+event CollateralDeposited:

+ token: indexed(address)

+ user: indexed(address)

+ amount: uint256

# Emission site

- log CollateralDeposited(user, amount)

+ log CollateralDeposited(collateral, user, amount)

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 10 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!