The onlyOwner functions that change critical parameters should emit events.
1) Events allow capturing the changed parameters so that off-chain tools/interfaces can register such changes with timelocks that allow users to evaluate them and consider if they would like to engage/exit based on how they perceive the changes as affecting the trustworthiness of the protocol or profitability of the implemented financial services.
2) The alternative of directly querying on-chain contract state for such changes is not considered practical for most users/usages.
3) Missing events do not promote transparency and if such changes immediately affect users’ perception of fairness or trustworthiness, they could exit the protocol causing a reduction in liquidity which could negatively impact protocol TVL and reputation.
In GaugeUpgradeable.sol contrcats, below are owner functions that do not emit any events in the contracts.
function setDistribution(address _distribution) external onlyOwner {
require(_distribution != address(0), "zero addr");
require(_distribution != DISTRIBUTION, "same addr");
DISTRIBUTION = _distribution;
}
///@notice set distribution address (should be GaugeProxyL2)
function setMerklGaugeMiddleman(address _newMerklGaugeMiddleman) external onlyOwner {
require(_newMerklGaugeMiddleman != address(0));
merklGaugeMiddleman = _newMerklGaugeMiddleman;
}
///@notice set distribution address (should be GaugeProxyL2)
function setIsDistributeEmissionToMerkle(bool _isDistributeEmissionToMerkle) external onlyOwner {
if (_isDistributeEmissionToMerkle) {
require(merklGaugeMiddleman != address(0));
}
isDistributeEmissionToMerkle = _isDistributeEmissionToMerkle;
}
///@notice set gauge rewarder address
function setGaugeRewarder(address _gaugeRewarder) external onlyOwner {
require(_gaugeRewarder != gaugeRewarder, "same addr");
gaugeRewarder = _gaugeRewarder;
}
///@notice set feeVault address
function setFeeVault(address _feeVault) external onlyOwner {
require(_feeVault != address(0), "zero addr");
require(_feeVault != feeVault, "same addr");
feeVault = _feeVault;
}
///@notice set new internal bribe contract (where to send fees)
function setInternalBribe(address _int) external onlyOwner {
require(_int >= address(0), "zero");
internal_bribe = _int;
}
and GaugeFactoryUpgradeable.sol
function setMerklGaugeMiddleman(address _newMerklGaugeMiddleman) external onlyOwner {
merklGaugeMiddleman = _newMerklGaugeMiddleman;
}
Recommendation
Add events to all onlyOwner functions that change critical parameters.
NOTE:
Issue applicable to all such instances in inscope contracts
Github username: @0xRizwan Twitter username: 0xRizwann Submission hash (on-chain): 0x8ca67b814b3209a78984b00f8ba821415be5e76137ea723fe528c41bf662bb71 Severity: low
Description: Description
The
onlyOwnerfunctions that change critical parameters should emit events.1) Events allow capturing the changed parameters so that off-chain tools/interfaces can register such changes with timelocks that allow users to evaluate them and consider if they would like to engage/exit based on how they perceive the changes as affecting the trustworthiness of the protocol or profitability of the implemented financial services.
2) The alternative of directly querying on-chain contract state for such changes is not considered practical for most users/usages.
3) Missing events do not promote transparency and if such changes immediately affect users’ perception of fairness or trustworthiness, they could exit the protocol causing a reduction in liquidity which could negatively impact protocol TVL and reputation.
In
GaugeUpgradeable.solcontrcats, below are owner functions that do not emit any events in the contracts.and
GaugeFactoryUpgradeable.solRecommendation
Add events to all
onlyOwnerfunctions that change critical parameters.NOTE: Issue applicable to all such instances in inscope contracts