search

hats-finance / Intuition-0x538dbadc50cc87b281cd655f1edbc6ebda02a66a

The smart contracts of the Intuition protocol v1.
https://intuition.systems
Other
0 stars 1 forks source link

Missing Event Emissions in _mint and _burn Functions #12

Open hats-bug-reporter[bot] opened 1 week ago

hats-bug-reporter[bot] commented 1 week ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x3a0fa3dca59927c1a3bb40e8a2c2c652e3816db86648bef3b7fcc23accc24552 Severity: low

Description: Description\ The EthMultiVault contract uses a struct to manage user share balances within a vault. It includes an internal _mint function to add shares to a user's balance and an internal _burn function to subtract shares from a user's balance. However, both functions are missing event emissions to log these actions, which can lead to a lack of transparency and traceability in the contract's operations.

Attack Scenario\ Describe how the vulnerability can be exploited.

Proof of Concept (PoC)\ When a user calls createAtom and depositAtom functions, no event is emitted regarding the minting of additional shares.

Also, when redeemAtom is called, no event is emitted regarding the burning of the shares.

Revised Code\ Add event definitions and emit appropriate events in the _mint and _burn functions. This will enhance the transparency of the contract.

mihailo-maksa commented 2 days ago

After careful consideration, we believe that this issue can be treated as an enhancement rather than a vulnerability. Here are the key points supporting our decision:

  1. Internal Functionality: The _mint and _burn functions are internal and not directly called by users. They are part of the internal logic of the contract and are not intended for direct interaction.
  2. Standard Compliance: We are already following the ERC4626 standard, which does not mandate the emission of events for internal _mint and _burn operations. The standard focuses on the essential functionalities required for compatibility and interoperability.
  3. Traceability: While event emissions can enhance transparency, the current implementation ensures all critical interactions are logged through existing mechanisms. The addition of events for these internal functions does not significantly improve the contract’s operational transparency.

In conclusion, while adding events could be beneficial for enhanced traceability, it is not necessary for the current design and functionality. This can be considered as an enhancement for future updates but is not required at this stage. Issue can be considered as invalid.