The Withdraw event in LegacyController.withdraw emits the _amount variable which is the initial, desired amount to withdraw. It should emit the actual withdrawn amount instead, which is transferred in the last token.balanceOf(address(this)) call.
Impact
The actual withdrawn amount, which can be lower than _amount, is part of the event.
This is usually not what you want (and it can already be decoded from the function argument).
Handle
cmichel
Vulnerability details
The
Withdraw
event inLegacyController.withdraw
emits the_amount
variable which is the initial, desired amount to withdraw. It should emit the actual withdrawn amount instead, which is transferred in the lasttoken.balanceOf(address(this))
call.Impact
The actual withdrawn amount, which can be lower than
_amount
, is part of the event. This is usually not what you want (and it can already be decoded from the function argument).Recommended Mitigation Steps
Use it or remove it.