search

code-423n4 / 2022-09-nouns-builder-findings

10 stars 6 forks source link

Lack of event emission after critical initialize() functions #129

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/token/Token.sol#L43

Vulnerability details

Impact

Most contracts use initialize() functions instead of constructor given the delegatecall proxy pattern. While most of them emit an event in the critical initialize() functions to record the init parameters for off-chain monitoring and transparency reasons.

Impact: The Token contract is initialized but their critical init parameters (name, symbol and etc.) are not logged for any off-chain monitoring.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

Tools Used

https://github.com/code-423n4/2021-06-pooltogether-findings/issues/68

Recommended Mitigation Steps

Emit an initialised event in Token.sol logging their init parameters.

GalloDaSballo commented 2 years ago

Valid NC, Leighton FUD Defense Squad

I'm gonna vindicate that judging to say that a even should always be marked as NC, unless the event is used for bridging which is not the case here

Screenshot 2022-09-17 at 22 56 19
GalloDaSballo commented 2 years ago

NC