deposit and withdraw emit the same event than mint and burn in ERC20 and can affect to Dapps

[code423n4]

Lines of code

https://github.com/code-423n4/2022-11-non-fungible/blob/323b7cbf607425dd81da96c0777c8b12e800305d/contracts/Pool.sol#L37 https://github.com/code-423n4/2022-11-non-fungible/blob/323b7cbf607425dd81da96c0777c8b12e800305d/contracts/Pool.sol#L49

Vulnerability details

Impact

Deposit and Withdraw emit the same event than burn and mint than ERC20 so it's not possible to distinguish in a DAPP than deposit and withdraw are not mint or burn and could affect to the DAPP logics. For example, cointracking.info could understand in a bad way this events to pay taxes.

Tools Used

Manual reviewed

Recommended Mitigation Steps

Modify de event for deposit and withdraw

[trust1995]

Overly inflated, QA suggestion.

[berndartmueller]

The Transfer event has a address indexed from and a address indexed to parameter which can be used to distinguish between a deposit and a withdrawal event.

If the from address is address(0) and the to address is non-zero, it is a withdrawal. If the from address is a non-zero address and the to address is address(0), it is a deposit.

Closing as invalid.

[c4-judge]

berndartmueller marked the issue as unsatisfactory: Invalid