Closed code423n4 closed 2 years ago
Disagree with the finding, any developer can just listen to the functionCall, it's even a feature of theGraph, having an event doesn't increase visibility of these changes
Having an event is a best practice, as such I would downgrade the severity
duplicate of #55
Handle
0x0x0x
Vulnerability details
Proof of Concept
In
Zap.sol
, governance have the access control. There is no event on change of governance, where governance can allow or block any address from the contract. Governance changes and functions should be emitted to inform users about changes. Furthermore, multi-sign, Timelock etc. are highly recommended.Tools Used
Manual analysis