Description:
In the PrelaunchPoints contract, there are critical functions modifying the state of the contract without emitting any events. Specifically, the functions allowToken and setEmergencyMode alter important state variables yet lack corresponding event emissions.
Events serve as a tool for external consumers to observe and respond to contract state changes efficiently. They are widely used for indexing and querying historical data, as well as providing real-time information to off-chain services and front-end applications. The absence of emitted events following changes due to these functions can inhibit tracking ability and transparency of the contract's operations. Subsequently, critical actions may go unnoticed, potentially impacting user experience, system integrity, and security monitoring.
Impact:
Without event emissions, off-chain services such as user interfaces, Oracles, and indexing services may not be notified of changes in contract states. This could lead to outdated or inaccurate displays of information, misinformed decisions, and overall reduced system trustworthiness.
Recommendations:
Implement and emit descriptive events for all functions that result in state changes of the contract, including allowToken and setEmergencyMode. The events should capture information about the action performed, the subjects involved, and the resultant state. For example:
For allowToken, emit an event with the address of the token that was allowed.
For setEmergencyMode, emit an event indicating the new state of the emergency mode.
Ensure that these events are documented and their intended use is communicated to any off-chain services or front-ends relying on contract interactions.
Additionally, review all other contract functions to ensure that any function which modifies the state is complemented by appropriate event emission.
Code Snippets:
Illustrative changes to implement the recommendations:
// Event definitions
event TokenAllowed(address indexed token);
event EmergencyModeSet(bool mode);
// Example implementation in the allowToken function
function allowToken(address _token) external onlyAuthorized {
isTokenAllowed[_token] = true;
emit TokenAllowed(_token);
}
// Example implementation in the setEmergencyMode function
function setEmergencyMode(bool _mode) external onlyAuthorized {
emergencyMode = _mode;
emit EmergencyModeSet(_mode);
}
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L364 https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L372
Vulnerability details
Description: In the
PrelaunchPoints
contract, there are critical functions modifying the state of the contract without emitting any events. Specifically, the functionsallowToken
andsetEmergencyMode
alter important state variables yet lack corresponding event emissions.Events serve as a tool for external consumers to observe and respond to contract state changes efficiently. They are widely used for indexing and querying historical data, as well as providing real-time information to off-chain services and front-end applications. The absence of emitted events following changes due to these functions can inhibit tracking ability and transparency of the contract's operations. Subsequently, critical actions may go unnoticed, potentially impacting user experience, system integrity, and security monitoring.
Impact: Without event emissions, off-chain services such as user interfaces, Oracles, and indexing services may not be notified of changes in contract states. This could lead to outdated or inaccurate displays of information, misinformed decisions, and overall reduced system trustworthiness.
Recommendations:
allowToken
andsetEmergencyMode
. The events should capture information about the action performed, the subjects involved, and the resultant state. For example:allowToken
, emit an event with the address of the token that was allowed.setEmergencyMode
, emit an event indicating the new state of the emergency mode.Code Snippets: Illustrative changes to implement the recommendations:
Assessed type
Other