[NAZ-M4] Incorrect Address Emitted #481
Labels
bug
Something isn't working
duplicate
This issue or pull request already exists
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/SemiFungibleVault.sol#L37
Vulnerability details
Impact
The
Deposit()
event indeposit()
is emitted when an asset is deposited frommsg.sender
and shares are sent to areceiver
. Its second parameter indicates the address to which the asset is owned by. However, theDeposit()
event emitted usesreceiver
(owner of shares) instead of themsg.sender
's(owner of assets) address . This may mislead protocol user interfaces and off-chain monitoring systems to misinterpret the amounts of assets being redeemed or minted to cause confusion, flagging of alerts or DoS.Tools Used
Manual Review
Recommended Mitigation Steps
Change
emit Deposit(msg.sender, receiver, id, assets, shares)
Toemit Deposit(msg.sender, msg.sender, id, assets, shares)
or change the wording in the natspec so that it reflects what is actually happening.The text was updated successfully, but these errors were encountered: