search

code-423n4 / 2021-04-maple-findings

0 stars 0 forks source link

Event emission inconsistent with NatSpec comment in ERC2222.sol #72

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

0xRajeev

Vulnerability details

Impact

_prepareWithdraw() and _prepareWithdrawOnBehalf() emit FundsWithdrawn event but their @dev Natspec comments say this:

@dev It emits a FundsWithdrawn event if the amount of withdrawn ether is greater than 0.

However, this event is emitted before the greater-than 0 check performed by the callers of these functions.

Proof of Concept

https://github.com/maple-labs/maple-token/blob/dda1b2018e89d684323b14ce7b9226c9c00e4ffa/contracts/ERC2222.sol#L59-L72

https://github.com/maple-labs/maple-token/blob/dda1b2018e89d684323b14ce7b9226c9c00e4ffa/contracts/ERC2222.sol#L74-L87

Callers which perform the greater-than 0 check after the call to above functions (which already would have emitted the event):

https://github.com/maple-labs/maple-token/blob/dda1b2018e89d684323b14ce7b9226c9c00e4ffa/contracts/ERC2222.sol#L177-L188

https://github.com/maple-labs/maple-token/blob/dda1b2018e89d684323b14ce7b9226c9c00e4ffa/contracts/ERC2222.sol#L190-L201

Tools Used

Manual Analysis

Recommended Mitigation Steps

Change comment or event emission location to match each other.

Arachnid commented 3 years ago

Duplicate of #96