Algo Ssstablecoinsss

AI First Flight #2

Beginner FriendlyDeFi

EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: high

Invalid

M-2 — CollateralDeposited event missing token address

anasss

Root + Impact

The developer forgot to include token_collateral_address in the CollateralDeposited event definition. This is an oversight — the same token field exists correctly in CollateralRedeemed but was simply missed in CollateralDeposited.

Impact:

Off-chain indexers and block explorers cannot tell which token (WETH or WBTC) was deposited from the event alone
Liquidation bots that rely on events to track user positions may make wrong decisions
Monitoring and security tools cannot accurately reconstruct the full deposit history of the protocol
Creates inconsistency between CollateralDeposited and CollateralRedeemed events making the codebase harder to reason about
Frontend applications showing users their deposit history cannot display which token was deposited

Description

The vulnerability in one sentence: The CollateralDeposited event does not log which token was deposited — WETH or WBTC — making it impossible for off-chain tools, block explorers, liquidation bots, and monitoring systems to reconstruct deposit history from events alone, while the CollateralRedeemed event correctly includes the token address making the two events inconsistent.

// Root cause in the codebase with @> marks to highlight the relevant section

event CollateralDeposited:

user: indexed(address)

amount: indexed(uint256)

# token address is missing

Risk

Likelihood:

Medium — this doesn't require any special conditions. Every single deposit emits this incomplete event.Impact:

Proof of Concept

User deposits 2 WETH into the protocol by calling deposit_collateral

Protocol emits CollateralDeposited event with only user and amount

A liquidation bot monitoring events sees: "User 0xABC deposited 2 tokens"

Bot cannot determine if it was WETH or WBTC from the event

Bot makes wrong calculation about user's collateral composition

A second user deposits 2 WBTC — same incomplete event is emitted

Off-chain indexer cannot distinguish between the two deposits

Block explorer shows "deposited 2 tokens" with no token information

Protocol's deposit history is permanently incomplete and untrustworthy from events alone

Recommended Mitigation

This makes CollateralDeposited consistent with CollateralRedeemed and gives off-chain tools the complete information they need.

- remove this code

+ add this code

# Current — incomplete:

event CollateralDeposited:

user: indexed(address)

amount: indexed(uint256)

# Fixed — includes token:

event CollateralDeposited:

user: indexed(address)

token: indexed(address)

amount: indexed(uint256)

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 8 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!