search

sherlock-audit / 2024-04-titles-judging

9 stars 6 forks source link

recursiveEth - Title: Incorrect Emitter Address in Comment Event Emission #435

Closed sherlock-admin4 closed 4 months ago

sherlock-admin4 commented 5 months ago

recursiveEth

medium

Title: Incorrect Emitter Address in Comment Event Emission

Summary

In the mintWithComment function, an event Comment is emitted with the author indexed as the address of the contract (address(this)). However, it should emit msg.sender as the author to accurately reflect who made the comment.

Vulnerability Detail

The event Comment is emitted with the address of the contract (address(this)) as the author of the comment, which may not represent the actual sender of the transaction.

Impact

This issue might mislead users or applications consuming the event data into believing that the contract itself made the comment, rather than the actual sender who invoked the mintWithComment function.

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L269

emit Comment(address(this), tokenId_, to_, comment_);

event Comment(
    address indexed edition, uint256 indexed tokenId, address indexed author, string comment
);

Tool used

Manual Review

Recommendation

Update the emission of the Comment event to use msg.sender as the author to accurately reflect the actual sender of the transaction

ccashwell commented 5 months ago

Actually the comment is attributed to the token recipient (argument at position 3), in connection with the edition (argument at position 1). This is expected behavior.