Events missing for critical actions of owner #46
Comments
|
Duplicate of #77 Again this could be considered not exactly the same, however the premise is the same that events aren't emitted on certain function calls. Having the event does not change the behaviour of the system, it only affects how users interact with it off chain and as such similar to the linked ticket is probably a low risk. Changes to the deployer also occur via DAO proposals and as such will be fully transparent before they occur. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
0xRajeev
Vulnerability details
Impact
Tracer Perpetuals Factory has six functions that are onlyOwner() and change deployer contract addresses and market approvals. None of these emit events for off-chain monitoring of such critical actions.
Impact: Users (via front-end UIs) and Off-chain monitoring tools rely on events to gain visibility into any sensitive actions by the contract owner which may affect the security and trust in the project contracts. Without events, the owner in this case the Tracer DAO, may change any of the addresses/approvals without providing transparency to off-chain entities.
Proof of Concept
https://github.com/code-423n4/2021-06-tracer/blob/74e720ee100fd027c592ea44f272231ad4dfa2ab/src/contracts/TracerPerpetualsFactory.sol#L63-L68
https://github.com/code-423n4/2021-06-tracer/blob/74e720ee100fd027c592ea44f272231ad4dfa2ab/src/contracts/TracerPerpetualsFactory.sol#L119-L149
Tools Used
Manual Analysis
Recommended Mitigation Steps
Add and emit relevant events.
The text was updated successfully, but these errors were encountered: