the `_setExternalBribe` logs incorrect information

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0x1f14e721c29e2e97b474147fbe6482d950d5b964430ba90e41465e7b2401eb9f Severity: low

Description: Description

The vulnerability lies in the incorrect logging within the _setExternalBribes function. Specifically, the function emits an event called SetBribeFor using the internal_bribes[_gauge] instead of using external_bribes[_gauge] for the current external bribe address argument.

This misconfiguration in the event emission can be exploited by misleading observers of the blockchain about the actual deployment or change of external bribes. Given that blockchain transparency is fundamental for trust in the system, especially for operations involving incentive mechanisms (like bribes), this has real implications.

Attack Scenario

1. Assume an observer monitors external bribes being set for gauges through the SetBribeFor event for governance or audit purposes.
2. The contract admin sets or updates an external bribe address using the setNewBribes function.
3. Upon execution, _setExternalBribe is called internally, and an event SetBribeFor(false, internal_bribes[_gauge], _external, _gauge) is emitted.
4. Observers receive the event and, due to the erroneous emission of internal_bribes[_gauge] as the previous address, incorrectly conclude that the previous external bribe address was what is currently the internal bribe address.

Conclusion and Fix:

To correct this issue, the line in the _setExternalBribe function:

emit SetBribeFor(false, internal_bribes[_gauge], _external, _gauge);

should be changed to:

emit SetBribeFor(false, external_bribes[_gauge], _external, _gauge);

Attachments

1. Proof of Concept (PoC) File

2. Revised Code File (Optional)