ūüďĄ

Report #30110

Report Date
April 15, 2024
Status
Closed
Payout

Redundant event emission can be misleading to oracles and also blot up the event log.

‚Ä£
Report Info

Report ID

#30110

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0x39cdAf9Dc6057Fd7Ae81Aaed64D7A062aAf452fD

Impacts

  • Redundant event emission¬†(Out of scope)

Description

The Fertilizer contract emits the ClaimFertilizer event in both the beanstalkUpdate and beanstalkMint functions, potentially leading to confusion and misinterpretation of contract behavior. This redundancy poses a risk of inefficiency and could result in developers and users misunderstanding the intended purpose of each function.

Vulnerability Details

The vulnerability lies in the redundant emission of the ClaimFertilizer event in both the beanstalkUpdate and beanstalkMint functions of the Fertilizer contract. This duplication can lead to confusion among developers and users, as it's not clear from the event alone whether the fertilizer was claimed due to an update or a minting operation. Such ambiguity can result in misinterpretation of contract behavior and may lead to inefficient use of blockchain resources.

// Example of redundant event emission
function beanstalkUpdate(address account, uint256[] memory ids, uint128 bpf) external onlyOwner returns (uint256) {
    // Update logic...
    emit ClaimFertilizer(ids, beans); // Redundant event emission
}

function beanstalkMint(address account, uint256 id, uint128 amount, uint128 bpf) external onlyOwner {
    // Minting logic...
    emit ClaimFertilizer(ids, beans); // Redundant event emission
}

Impact Details

This includes potential confusion and misunderstanding of contract behavior, increased gas costs due to redundant event emission, and inefficiency in the use of blockchain resources. While there may not be direct financial losses associated with this, the lack of clarity in contract events can lead to indirect consequences such as decreased user trust and adoption.

References

Immunefi Response

Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
  • claimed impact by the whitehat¬†is not in scope¬†for the bug bounty program
  • claimed asset by the whitehat is in scope for the bug bounty program
  • PoC¬†has not been submitted¬†to the project
  • claimed severity is in scope for the bug bounty program

The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.