search

hats-finance / Blast-Futures-Exchange-0x97895c329b950755566ddcdad3395caaea395074

0 stars 0 forks source link

Missing events for functions that change critical parameters #33

Open hats-bug-reporter[bot] opened 7 months ago

hats-bug-reporter[bot] commented 7 months ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x5579690a6c1ebbd6866da6b97451a3e14de92dfeca1bd81947beff030be4ffbc Severity: low

Description: Description\

The onlyOwner functions that change critical parameters should emit events.

Events allow capturing the changed parameters so that off-chain tools/interfaces can register such changes with timelocks that allow users to evaluate them and consider if they would like to engage/exit based on how they perceive the changes as affecting the trustworthiness of the protocol or profitability of the implemented financial services.

The alternative of directly querying on-chain contract state for such changes is not considered practical for most users/usages.

Missing events do not promote transparency and if such changes immediately affect users’ perception of fairness or trustworthiness, they could exit the protocol causing a reduction in liquidity which could negatively impact protocol TVL and reputation.

In Blast-Future Exchange contrcats, below are owner functions that do not emit any events in the contracts.

1) In Bfx.sol

    function setPaymentToken(address _paymentToken) external onlyOwner {
        paymentToken = IERC20(_paymentToken);
    }

    function changeSigner(address new_signer) external onlyOwner {
        require(new_signer != address(0), "ZERO_SIGNER");
        external_signer = new_signer;
    }

2) In BfxVault.sol


    function setPaymentToken(address _paymentToken) external onlyOwner {
        paymentToken = IERC20(_paymentToken);
    }

    function setBfx(address _bfx) external onlyOwner {
        bfx = IBfx(_bfx);
    }

3) In PoolDeposit.sol

    function setPaymentToken(address _paymentToken) external onlyOwner {
        paymentToken = IERC20(_paymentToken);
    }

    function setRabbit(address _rabbit) external onlyOwner {
        rabbit = _rabbit;
    }

Recommendation\

Add events to all onlyOwner functions that change critical parameters.