Missing events for governor only functions that change critical parameters #32
Assignees
Labels
0 (Non-critical)
Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
Comments
code423n4
added
1 (Low Risk)
r2moon
added
the
disagree with severity
|
I think they don't have any risks. |
This was referenced Oct 27, 2021
ghoul-sol
added
0 (Non-critical)
|
Missing event don't pose any risk. It's best practices so non-critical. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
defsec
Vulnerability details
Impact
Governor only functions that change critical parameters should emit events. Events allow capturing the changed parameters so that off-chain tools/interfaces can register such changes with timelocks that allow users to evaluate them and consider if they would like to engage/exit based on how they perceive the changes as affecting the trustworthiness of the protocol or profitability of the implemented financial services. The alternative of directly querying on-chain contract state for such changes is not considered practical for most users/usages.
Missing events and timelocks do not promote transparency and if such changes immediately affect users’ perception of fairness or trustworthiness, they could exit the protocol causing a reduction in liquidity which could negatively impact protocol TVL and reputation.
There are governor functions that do not emit any events in MochiEngine.sol.
Proof of Concept
Missing events
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/MochiEngine.sol#L39
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/MochiEngine.sol#L43
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/MochiEngine.sol#L47
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/MochiEngine.sol#L51
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/MochiEngine.sol#L55
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/MochiEngine.sol#L59
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/MochiEngine.sol#L63
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/MochiEngine.sol#L67
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/MochiEngine.sol#L71
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/MochiEngine.sol#L75
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/MochiEngine.sol#L79
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/MochiEngine.sol#L83
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/MochiEngine.sol#L87
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/MochiEngine.sol#L91
See similar High-severity H03 finding OpenZeppelin’s Audit of Audius (https://blog.openzeppelin.com/audius-contracts-audit/#high) and Medium-severity M01 finding OpenZeppelin’s Audit of UMA Phase 4 (https://blog.openzeppelin.com/uma-audit-phase-4/)
Tools Used
Manual Code Review
Recommended Mitigation Steps
Add events to all governor functions that change critical parameters.
The text was updated successfully, but these errors were encountered: