search

code-423n4 / 2021-09-yaxis-findings

0 stars 0 forks source link

Withdraw event uses wrong parameter #122

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

cmichel

Vulnerability details

The Withdraw event in LegacyController.withdraw emits the _amount variable which is the initial, desired amount to withdraw. It should emit the actual withdrawn amount instead, which is transferred in the last token.balanceOf(address(this)) call.

Impact

The actual withdrawn amount, which can be lower than _amount, is part of the event. This is usually not what you want (and it can already be decoded from the function argument).

Recommended Mitigation Steps

Use it or remove it.

GalloDaSballo commented 2 years ago

Nice catch, sponsor mitigated