Lines of code

Vulnerability details

Impact

There is no event emitted in the whole contract, even after executing sensitive actions like swaps between assets or at the constructor. That is bad because many automatic tools that monitors the contracts deployed rely on them. For example, see the swap function in UniswapV3Pool#L786

<https://github.com/Uniswap/v3-core/blob/d8b1c635c275d2a9450bd6a78f3fa2484fef73eb/contracts/UniswapV3Pool.sol#L786&gt;

        emit Swap(msg.sender, recipient, amount0, amount1, state.sqrtPriceX96, state.liquidity, state.tick);

Proof of Concept

Just Ctrl+f and look for emit in the whole file in scope

<https://github.com/code-423n4/2023-08-shell/blob/c61cf0e01bada04c3d6055acb81f61955ed600aa/src/proteus/EvolvingProteus.sol#L137-L853&gt;

Tools Used

Manual analysis

Recommended Mitigation Steps

Consider emitting events after sensitive changes take place (including in the constructor), to facilitate tracking and notify off-chain clients following the contracts’ activity.

NOTE -> Medium severity as here, here and here. For C4 ones, go to Solodit and put as keyword emits and there are plenty of them as a medium

Assessed type

Other

---

The text was updated successfully, but these errors were encountered:

All reactions