frank-beard
commented
2 years ago not an exploit
Open code423n4 opened 2 years ago
frank-beard
commented
2 years ago not an exploit
GalloDaSballo
commented
2 years ago Non critical
Handle
0xRajeev
Vulnerability details
Impact
Indexed event parameters are stored in the topics part of the log instead of the data part, which allows for faster indexing/querying because of the use of bloom filters for topics. Up to three parameters in every event can be indexed. While this costs a little extra gas, doing so allows for faster and more efficient/effective event lookups.
While this is used in some events, there are many that are missing indexed keywords for address parameters that could use them.
Proof of Concept
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/interfaces/IAuction.sol#L40-L44
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/interfaces/IBasket.sol#L47-L48
Tools Used
Manual Analysis
Recommended Mitigation Steps
Add indexed parameter especially for address parameters where their faster lookup for security monitoring issues can be a good trade-off for the extra gas consumed.