search

sherlock-audit / 2022-10-illuminate-judging

3 stars 0 forks source link

ak1 - ERC5095.sol : redeem and withdraw MUST emit the Redeem event. #189

Closed sherlock-admin closed 2 years ago

sherlock-admin commented 2 years ago

ak1

medium

ERC5095.sol : redeem and withdraw MUST emit the Redeem event.

Summary

As per the eip 5095 standard, redeem and withdraw MUST emit the Redeem event.

Vulnerability Detail

https://eips.ethereum.org/EIPS/eip-5095#:~:text=their%20backwards%20compatibility.-,MUST%20emit%20the%20Redeem%20event.,-MUST%20support%20a

https://eips.ethereum.org/EIPS/eip-5095#:~:text=to%20receiver.-,MUST%20emit%20the%20Redeem%20event.,-MUST%20support%20a

Refer the above links to get more about the redeem and withdraw standard of ERC5095.

As per the ERC5095 standard, redeem and withdraw functionalities should emit the Redeem event.

But, the illuminate's 5095 - withdraw and redeem do not have the redeem event.

Impact

Generally, events are used to inform the calling application about the current state of the contract, with the help of the logging facility of EVM.

Other application that integrate or use illuminate will suffer due this fact. They might assume that the event will happen and operations can be done which depends the event.

Other protocols that integrate with Illuminate's withdraw and redeem wrapper might wrongly assume that the functions emit the Redeem event. Thus, it might cause some integration problem in the future.

Code Snippet

Withdraw

https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/tokens/ERC5095.sol#L209-L277

Redeem

https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/tokens/ERC5095.sol#L284-L345

Tool used

Manual Review

Recommendation

It is recommended to follow the standard's MUST and implement them. This will be useful for both illuminate and who integrate the illuminate.

aktech297 commented 2 years ago

Escalate for 2 USDC I believe this is valid issue and need to be revisited. As per 5095 standard, Redeem event MUST be emitted.

sherlock-admin commented 2 years ago

Escalate for 2 USDC I believe this is valid issue and need to be revisited. As per 5095 standard, Redeem event MUST be emitted.

You've created a valid escalation for 2 USDC!

To remove the escalation from consideration: Delete your comment. To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.