search

hats-finance / Thorn-protocol-0x1286ecdac50215a366458a14968fbca4bd95067d

GNU General Public License v3.0
0 stars 0 forks source link

Lack of event emissions in onlyOwner functions #32

Open hats-bug-reporter[bot] opened 3 days ago

hats-bug-reporter[bot] commented 3 days ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0xef009bd8fdcf6d6be29e78d75ba6432831992897b61af724fda562f4f3d66527 Severity: low

Description: Description\ Sensitive onlyOwner functions in smart contracts often alter critical state variables. Without events emitted in these functions, external observers or dApps cannot easily track or react to these state changes. Missing events can obscure contract activity, hampering transparency and making integration more challenging. To resolve this, incorporate appropriate event emissions within these functions. Events offer an efficient way to log crucial changes, aiding in real-time tracking and post-transaction verification.

Particularly for the Thorn protocol, events are not emitted in StableSwapRouter.sol

    function kill() external onlyOwner {
        isKill = true; <@ event not emitted
    }
    function unKill() external onlyOwner {
        isKill = false; <@ event not emitted
    }

Apart from the lack of transparency for the off-chain tools, there is a lack of consisency with the other Thorn contracts. The other contracts emit events in such scenarios. For example: StableSwapTwoPool.sol


    function kill_me() external onlyOwner {
        require(kill_deadline > block.timestamp, "Exceeded deadline");
        is_killed = true;
        emit Kill();
    }

    /**
     * @notice Unpause a pool that was previously paused, re-enabling exchanges.
     */
    function unkill_me() external onlyOwner {
        is_killed = false;
        emit Unkill();
    }

Attack Scenario

Attachments

  1. Proof of Concept (PoC) File

StableSwapRouter::kill() and StableSwapRouter::unKill()

  1. Revised Code File (Optional)

Emit events in StableSwapRouter, similar to StableSwapTwoPool

    function kill() external onlyOwner {
        isKill = true;
        emit Kill();
    }

    function unKill() external onlyOwner {
        isKill = false;
       emit Unkill();
    }
Ghoulouis commented 2 days ago

I don't think it's big enough to be a bug.