search

code-423n4 / 2024-02-wise-lending-findings

11 stars 8 forks source link

[M-4] Misinformation of events for critical parameters #299

Closed c4-bot-10 closed 6 months ago

c4-bot-10 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLending.sol#L600-L628

Vulnerability details

Description:

Event is currently being emitted before the transfer has occured. This leads to misinformation of critical parameters

Impact:

Misinformation of events for critical parameters

Tools Used

Manual Review

Proof Of Concept:

       function solelyDeposit(
        uint256 _nftId,
        address _poolToken,
        uint256 _amount
    ) public syncPool(_poolToken) {
        _handleSolelyDeposit(msg.sender, _nftId, _poolToken, _amount);

        _emitFundsSolelyDeposited(msg.sender, _nftId, _poolToken, _amount);

        _safeTransferFrom(_poolToken, msg.sender, address(this), _amount);
    }

Recommended Mitigation Steps:

Function should emit event after safe transfer

    function solelyDeposit(
        uint256 _nftId,
        address _poolToken,
        uint256 _amount
    ) public syncPool(_poolToken) {
        _handleSolelyDeposit(msg.sender, _nftId, _poolToken, _amount);

-     _emitFundsSolelyDeposited(msg.sender, _nftId, _poolToken, _amount);
-     _safeTransferFrom(_poolToken, msg.sender, address(this), _amount);

+     _safeTransferFrom(_poolToken, msg.sender, address(this), _amount);
+     _emitFundsSolelyDeposited(msg.sender, _nftId, _poolToken, _amount);
    }

Assessed type

Context

c4-pre-sort commented 6 months ago

GalloDaSballo marked the issue as insufficient quality report

GalloDaSballo commented 6 months ago

Would be QA R -> pls scrap as overinflated

vm06007 commented 6 months ago

Disqualified.

c4-judge commented 6 months ago

trust1995 marked the issue as unsatisfactory: Overinflated severity