c4-pre-sort
commented
8 months ago raymondfam marked the issue as insufficient quality report
Closed c4-bot-4 closed 8 months ago
c4-pre-sort
commented
8 months ago raymondfam marked the issue as insufficient quality report
c4-pre-sort
commented
8 months ago raymondfam marked the issue as duplicate of #301
c4-judge
commented
8 months ago 0xA5DF marked the issue as unsatisfactory: Invalid
c4-judge
commented
8 months ago 0xA5DF marked the issue as unsatisfactory: Invalid
c4-judge
commented
8 months ago 0xA5DF marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-shellprotocol/blob/main/src/adapters/Curve2PoolAdapter.sol#L30
Vulnerability details
Impact
Events such as Swap, Deposit, and Withdraw are emitted with the primitive address as the user parameter, which might not be the actual user (msg.sender) initiating the transaction.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Tools Used
Recommended Mitigation Steps
"Resolution": "Modify the events to emit the actual user's address (msg.sender) instead of the primitive address.", "Source": "emit Swap(inputToken, inputAmount, outputAmount, minimumOutputAmount, primitive, true);", "Solution": "Replace 'primitive' with 'msg.sender' in the event emissions."
Assessed type
MEV