[L-01] Missing Event in `updateFlashLoanFee()` — Fee Changes Not Observable
[L-01] Missing Event in updateFlashLoanFee() — Fee Changes Not Observable
Scope
ThunderLoan.sol
Description
The updateFlashLoanFee() function modifies the protocol-critical s_flashLoanFee state variable but emits no event. Off-chain monitoring systems, indexers, and front-ends cannot detect fee changes.
Risk
Likelihood: Medium
Occurs whenever the protocol owner calls
updateFlashLoanFee(). Fee changes are a routine governance action that will happen during the protocol's lifetime.
Impact: Low
No direct fund loss. However, off-chain monitoring systems, indexers, and front-ends cannot detect fee changes. Users may take flash loans expecting one fee rate while a different rate is active.
Severity: Low
Proof of Concept
After the owner calls updateFlashLoanFee(1e16), no event is emitted. An off-chain indexer watching for fee change events will miss this change entirely. A front-end displaying fee rates will serve stale data, potentially misleading users about the cost of flash loans.
Recommended Mitigation
Add a FlashLoanFeeUpdated event that logs both the old and new fee values. This restores observability for off-chain systems and enables governance monitoring tools to detect fee changes in real time.
Lead Judging Commences
[L-02] updateFlashLoanFee() missing event
## Description `ThunderLoan::updateFlashLoanFee()` and `ThunderLoanUpgraded::updateFlashLoanFee()` does not emit an event, so it is difficult to track changes in the value `s_flashLoanFee` off-chain. ## Vulnerability Details ```solidity function updateFlashLoanFee(uint256 newFee) external onlyOwner { if (newFee > FEE_PRECISION) { revert ThunderLoan__BadNewFee(); } @> s_flashLoanFee = newFee; } ``` ## Impact In Ethereum, events are used to facilitate communication between smart contracts and their user interfaces or other off-chain services. When an event is emitted, it gets logged in the transaction receipt, and these logs can be monitored and reacted to by off-chain services or user interfaces. Without a `FeeUpdated` event, any off-chain service or user interface that needs to know the current `s_flashLoanFee` would have to actively query the contract state to get the current value. This is less efficient than simply listening for the `FeeUpdated` event, and it can lead to delays in detecting changes to the `s_flashLoanFee`. The impact of this could be significant because the `s_flashLoanFee` is used to calculate the cost of the flash loan. If the fee changes and an off-chain service or user is not aware of the change because they didn't query the contract state at the right time, they could end up paying a different fee than they expected. ## Recommendations Emit an event for critical parameter changes. ```diff + event FeeUpdated(uint256 indexed newFee); function updateFlashLoanFee(uint256 newFee) external onlyOwner { if (newFee > s_feePrecision) { revert ThunderLoan__BadNewFee(); } s_flashLoanFee = newFee; + emit FeeUpdated(s_flashLoanFee); } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.