wrong mint emission in treasury contract

[hats-bug-reporter[bot]]

Github username: @0xmahdirostami Twitter username: 0xmahdirostami Submission hash (on-chain): 0x9e801d61d9f96e01afc25f9e387915ae16a066e5586556b8994786a33174ec4b Severity: low

Description: Description

currently, anyone could send their tokens to the treasury and create fake mint emission:

https://github.com/hats-finance/Circles-0x6ca9ca24d78af44582951825bef9eadcb210e5cf/blob/507e18587b8a0b64a4bb21db01ecf876dc607e47/src/treasury/StandardTreasury.sol#L164-L176

Scenario:

• Users could send their unworthy and untrusted tokens to treasury and emit the wrong mint event, potentially causing wrong information for those who are listening to that group event

Mitigation:

some possible:

• move this event to groupmint
• check that the received token is trusted, if not revert it

[0xmahdirostami]

same for GroupMintBatch:

https://github.com/hats-finance/Circles-0x6ca9ca24d78af44582951825bef9eadcb210e5cf/blob/507e18587b8a0b64a4bb21db01ecf876dc607e47/src/treasury/StandardTreasury.sol#L159

[benjaminbollen]

Thank you for your report regarding the mint emission in the StandardTreasury contract. After review, we accept this as a low-severity issue.

While there is no security vulnerability, the event name could lead to potential misinterpretation by indexers. Due to compile size constraints in the Hub contract, the event is emitted by the StandardTreasury, but the name may suggest more than the StandardTreasury can confirm.

To avoid confusion, we will consider renaming the event to something like "CollateralLocked," which more accurately reflects the contract’s action. The alternative suggestion of rechecking on the Hub would add unnecessary gas costs for compliant behavior.

We appreciate your effort in identifying this and bringing it to our attention.