search

code-423n4 / 2024-02-wise-lending-findings

8 stars 6 forks source link

[M-5] Missing Important event logs after sensitive actions #300

Closed c4-bot-10 closed 3 months ago

c4-bot-10 commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLending.sol#L329-L343

Vulnerability details

Description:

Function is missing important event logs, sensitive actions is performed but there are no events being emitted.

Impact:

Lack of sensitive informations by users.

Tools Used

Manual Review

Proof Of Concept:

    function collateralizeDeposit(
        uint256 _nftId,
        address _poolToken

    ) external syncPool(_poolToken) {

        WISE_SECURITY.checksCollateralizeDeposit(
            _nftId,
            msg.sender,
            _poolToken
        );

        userLendingData[_nftId][_poolToken].unCollateralized = false;
    }

Recommended Mitigation Steps:

Emit an eventLog upon successfull deposit

+    event DepositCollateralized(
+        address indexed sender,
+        uint256 indexed nftId,
+        address indexed token,
+        uint256 amount,
+        uint256 shares,
+        uint256 timestamp
+    );

    function collateralizeDeposit(
        uint256 _nftId,
        address _poolToken

    ) external syncPool(_poolToken) {

        WISE_SECURITY.checksCollateralizeDeposit(
            _nftId,
            msg.sender,
            _poolToken
        );

        userLendingData[_nftId][_poolToken].unCollateralized = false;

+       _emitDepositCollateralized(msg.sender, _nftId, _poolToken);
    }

Assessed type

Context

c4-pre-sort commented 4 months ago

GalloDaSballo marked the issue as insufficient quality report

GalloDaSballo commented 4 months ago

Event as a Med = Scrap pls

vm06007 commented 3 months ago

Disqualified.

c4-judge commented 3 months ago

trust1995 marked the issue as unsatisfactory: Invalid