The DelegationRegistry contract on adding new delegation emits corresponding event depending on the type of the delegation. However, the logic of the delegations functions always emits event at the end of the execution even when the state has not actually changed. Example of such a situation would be a case where the delegation already exists or has been revoked and triggering delegation functions would cause the same event being emitted without actually updating anything. This might lead to the confusion of off-chain applications that are monitoring the state of the protocol and delegations.
It is recommended to correct the logic of delegation functions in a way that delegations events will be only emitted in case the state of the delegation has changed.
Lines of code
https://github.com/delegatexyz/delegate-registry/blob/6d1254de793ccc40134f9bec0b7cb3d9c3632bc1/src/DelegateRegistry.sol#L59 https://github.com/delegatexyz/delegate-registry/blob/6d1254de793ccc40134f9bec0b7cb3d9c3632bc1/src/DelegateRegistry.sol#L78 https://github.com/delegatexyz/delegate-registry/blob/6d1254de793ccc40134f9bec0b7cb3d9c3632bc1/src/DelegateRegistry.sol#L98 https://github.com/delegatexyz/delegate-registry/blob/6d1254de793ccc40134f9bec0b7cb3d9c3632bc1/src/DelegateRegistry.sol#L122 https://github.com/delegatexyz/delegate-registry/blob/6d1254de793ccc40134f9bec0b7cb3d9c3632bc1/src/DelegateRegistry.sol#L147
Vulnerability details
Impact
The
DelegationRegistry
contract on adding new delegation emits corresponding event depending on the type of the delegation. However, the logic of the delegations functions always emits event at the end of the execution even when the state has not actually changed. Example of such a situation would be a case where the delegation already exists or has been revoked and triggering delegation functions would cause the same event being emitted without actually updating anything. This might lead to the confusion of off-chain applications that are monitoring the state of the protocol and delegations.Proof of Concept
Event
DelegateAll
emitted at the end ofdelegateAll
function: https://github.com/delegatexyz/delegate-registry/blob/6d1254de793ccc40134f9bec0b7cb3d9c3632bc1/src/DelegateRegistry.sol#L59 EventDelegateContract
emitted at the end ofdelegateContract
function: https://github.com/delegatexyz/delegate-registry/blob/6d1254de793ccc40134f9bec0b7cb3d9c3632bc1/src/DelegateRegistry.sol#L78 EventDelegateERC721
emitted at the end ofdelegateERC721
function: https://github.com/delegatexyz/delegate-registry/blob/6d1254de793ccc40134f9bec0b7cb3d9c3632bc1/src/DelegateRegistry.sol#L98 EventDelegateERC20
emitted at the end ofdelegateERC20
function: https://github.com/delegatexyz/delegate-registry/blob/6d1254de793ccc40134f9bec0b7cb3d9c3632bc1/src/DelegateRegistry.sol#L122 EventDelegateERC1155
emitted at the end ofdelegateERC1155
function: https://github.com/delegatexyz/delegate-registry/blob/6d1254de793ccc40134f9bec0b7cb3d9c3632bc1/src/DelegateRegistry.sol#L147Tools Used
Manual Review
Recommended Mitigation Steps
It is recommended to correct the logic of delegation functions in a way that delegations events will be only emitted in case the state of the delegation has changed.
Assessed type
Other