Inaccurate log emitted at deleteNewIndex #50
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Warden finding
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Comments
code423n4
added
1 (Low Risk)
|
Warden apologizes for linking the code of the previous defiProtocol contest, however these lines are not changed in the new contest. |
frank-beard
added
the
sponsor acknowledged
|
Finding is valid, while issues with events are non-critical, because this is an issue with the written code, low severity is appropriate |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
kenzo
Vulnerability details
The DeletedNewIndex log emits "publisher", but it might be the auction that called the function.
Note: the event is defined as:
event DeletedNewIndex(address _publisher);
So if you wanted to anyway emit just the publisher, this is not a bug.
However as this function call be called from both publisher and auction, I have a feeling you wanted to emit the msg.sender.
Impact
Inaccurate data supplied.
Proof of Concept
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Basket.sol#L208
Tools Used
Manual analysis
Recommended Mitigation Steps
Emit msg.sender instead of publisher.
The text was updated successfully, but these errors were encountered: