Lack of event emission after sensitive actions #104
Labels
bug
Something isn't working
duplicate
This issue or pull request already exists
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-02-redacted-cartel/blob/92c4d5810df7b9de15eae55dc7641c8b36cd799d/contracts/TokemakBribe.sol#L108-L110
Vulnerability details
Impact
Event missing after changes of
_round
parameter by admin or team member. This makes other team members being unaware of round when setting proposals.Lack of event emits after critical parameter change is a known vulnerability than can range from low to high risk , depending on the the parameter.
Some examples:
LOW code-423n4/2021-06-gro-findings#5
MEDIUM code-423n4/2021-08-floatcapital-findings#85
https://blog.openzeppelin.com/uma-audit-phase-4/ (see M01)
HIGH https://blog.openzeppelin.com/audius-contracts-audit/#high
Proof of Concept
Tools Used
Manual code revision
Recommended Mitigation Steps
The text was updated successfully, but these errors were encountered: