CollateralDeposited omits the collateral token, breaking off-chain accounting in a multi-collateral systemSeverity: Low · Impact: Low · Likelihood: High
In a multi-collateral engine, deposit events must identify which token was deposited so indexers can reconstruct per-token balances.
CollateralDeposited logs only (user, amount) — it never records the token address — while the sibling CollateralRedeemed event does include the token. It also indexes amount (a non-filterable value) instead of the token.
Likelihood:
Occurs on every deposit — the event is permanently missing the token dimension.
Impact:
Off-chain systems cannot attribute a deposit to WETH vs WBTC from the event alone, corrupting balance accounting, dashboards, and liquidation monitoring.
Save the block below as tests/poc_l2.py inside the cloned repo and run mox test tests/poc_l2.py. Two deposits of the same size but different collateral tokens emit byte-for-byte identical events, and neither event contains the token address — proving the token cannot be recovered from the log.
Add the token address to the event and index the fields that are actually filtered on.
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsThe contest is complete and the rewards are being distributed.