📄

Report #12523

Report Date
October 18, 2022

Lack of event emission after sensitive actions with POC

Report Info

Report ID

#12523

Target

Report type

Smart Contract

Impacts

Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Has PoC?

Yes

Bug Description

A clear and concise description of the bug.

in CurveFacet 0xd231498144c5b53b65b782343cdfb366472c7bf7 there is Lack of event emission after sensitive actions

there are functions addLiquidity exchange exchangeUnderlying removeLiquidity removeLiquidityImbalance removeLiquidityOneToken

and there is no event and emitting events for all this functions

Impact

Consider emitting events after sensitive changes take place, to facilitate tracking and notify off-chain clients following the contracts’ activity

Risk Breakdown

Difficulty to Exploit: Easy Weakness: CVSS2 Score:

Proof of concept

There is Lack of event emission after sensitive actions in CurveFacet

BIC Response

This is not a security bug report because:

  • Relevant events are emitted by Curve; and
  • Emitting an event during any of those methods would be duplicative of the underlying protocol, wasting gas and causing confusion with regards to what event should be trusted.

Due to these reasons, we are closing the submission and no reward will be issued.