Clearwood
commented
3 years ago Withdraw tokens will necessarily have a transfer event from the auction to the recipient.
Open code423n4 opened 3 years ago
Clearwood
commented
3 years ago Withdraw tokens will necessarily have a transfer event from the auction to the recipient.
ghoul-sol
commented
3 years ago making this a non-critical as it is best practices recommendation
Handle
0xRajeev
Vulnerability details
Impact
Deposits and withdrawals are the most critical aspects of an auction. While commit ETH/token functions have an AddedCommitment event, the corresponding withdrawTokens() functions does not emit any events. This is not good for offchain monitoring or transparency.
Proof of Concept
https://github.com/sushiswap/miso/blob/2cdb1486a55ded55c81898b7be8811cb68cfda9e/contracts/Auctions/BatchAuction.sol#L317-L335
https://github.com/sushiswap/miso/blob/2cdb1486a55ded55c81898b7be8811cb68cfda9e/contracts/Auctions/BatchAuction.sol#L244
Tools Used
Manual Analysis
Recommended Mitigation Steps
Add and emit withdraw event.