search

code-423n4 / 2023-09-maia-findings

25 stars 17 forks source link

Lack of event emission after sensitive actions #114

Open c4-submissions opened 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-09-maia/blob/main/src/RootBridgeAgent.sol#L160-L172

Vulnerability details

Impact

Lack of event emission after sensitive actions. _callOut function of the RootBridgeAgent contract does not emit relevant events after executing the sensitive action.

Proof of Concept

src/RootBridgeAgent.sol#L160-L172

    function callOut(
        address payable _refundee,
        address _recipient,
        uint16 _dstChainId,
        bytes calldata _params,
        GasParams calldata _gParams
    ) external payable override lock requiresRouter {
        //Encode Data for call.
        bytes memory payload = abi.encodePacked(bytes1(0x00), _recipient, settlementNonce++, _params);

        //Perform Call to clear hToken balance on destination branch chain.
        _performCall(_dstChainId, _refundee, payload, _gParams);
    }

Recommended Mitigation Steps

Include appropriate require statements and events for error handling and state tracking. Validate these through unit tests and code audits.

Assessed type

Other

c4-pre-sort commented 1 year ago

0xA5DF marked the issue as low quality report

0xA5DF commented 1 year ago

Lack of event emission after sensitive actions.

QA

c4-judge commented 1 year ago

alcueca changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

alcueca marked the issue as grade-a