search

code-423n4 / 2023-07-moonwell-findings

1 stars 0 forks source link

TemporalGovernor can emit false events #103

Open code423n4 opened 11 months ago

code423n4 commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L146-L156 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L173-L183

Vulnerability details

Impact

The trustedSenders array makes use of EnumerableSet. When doing an addition of an already present element, the EnumerableSet add method will return false. However, function setTrustedSenders does not check this return value and it still emits a TrustedSenderUpdated event, even though no trusted sender got changed.

A similar thing can be said regarding function unSetTrustedSenders and EnumerableSet's remove method: when the element is not present in the array in the first place, an event still gets emitted.

Tools Used

Manual review.

Recommended Mitigation Steps

Check the EnumerableSet's return value to know whether or not it should emit an event.

Assessed type

Loop

0xSorryNotSorry commented 11 months ago

If the function returns, the execution will halt.

Invalid.

c4-pre-sort commented 11 months ago

0xSorryNotSorry marked the issue as low quality report

alcueca commented 10 months ago

The warden is right, but the events won't be fake, just redundant. Valid as QA.

c4-judge commented 10 months ago

alcueca changed the severity to QA (Quality Assurance)

c4-judge commented 10 months ago

alcueca marked the issue as grade-a