Event Emission Inconsistency in Deposit Function

[hats-bug-reporter[bot]]

Github username: @feeqcodes Twitter username: feeqcodes Submission hash (on-chain): 0x0aa275fee49b5ed49fea2e2c64ce27b79e35b017322bd944e054d0dc5c4feca2 Severity: low

Description: Description\ Both The deposit function in Minter.sol and the deposit function in NativeMinter has a vulnerability where it emits the Deposit event even if the minting operation fails. This can lead to inconsistent state reporting, where the contract logs a deposit that didn't actually occur. The function does not explicitly check the success of the stakingToken.mint() operation before emitting the event

Attack Scenario\ An attacker could exploit this vulnerability by:

• Identifying conditions under which the mint operation might fail (e.g., if the contract has reached its maximum supply).
• Calling the deposit function under these conditions.
• The function will emit the Deposit event even though no tokens were minted.
• This could mislead external systems or users monitoring these events, potentially causing accounting discrepancies or other issues in integrated systems.

2. Revised Code File

   
   function deposit(address receiver) public payable virtual nonReentrant {
       require(msg.value > 0, "ZeroDeposit");
       uint256 mintAmount = previewDeposit(msg.value);
       require(mintAmount > 0, "ZeroMintAmount");
   
       // Check the success of the mint operation
       bool success = stakingToken.mint(receiver, mintAmount);
       require(success, "MintFailed");
   
       // Only emit the event if minting was successful
       emit Deposit(address(msg.sender), receiver, msg.value);
   }
   
   // ... NativeMinter contract ...
   
   function deposit(address receiver) public payable virtual nonReentrant {
       require(msg.value > 0, "ZeroDeposit");
       uint256 mintAmount = previewDeposit(msg.value);
       require(mintAmount > 0, "ZeroMintAmount");
       bool success = stakingToken.mint(receiver, mintAmount);
       require(success, "MintFailed");
       emit Deposit(address(msg.sender), receiver, msg.value);
   }
   }

The revised code adds a check for the success of the mint operation and only emits the Deposit event if minting was successful. This ensures that the event accurately reflects the state of the contract.

[0xRizwan]

StakingToken i.e stROSE does not have maximum supply which can be checked here.

so the condition wont be applicable in practical.

Identifying conditions under which the mint operation might fail (e.g., if the contract has reached its maximum supply).

Also, under following contest rule, this issue is OOS.

Any issue that is only theoretical but can't happen in practice