Active Boosts

51286 sc low event restrictionscreated uses wrong owner

Submitted on Aug 1st 2025 at 12:25:00 UTC by @p1ranh4 for Attackathon | Plume Network

  • Report ID: #51286

  • Report Type: Smart Contract

  • Severity: Low

  • Target: https://github.com/immunefi-team/attackathon-plume-network/blob/main/arc/src/restrictions/RestrictionsFactory.sol

  • Impacts:

    • Contract fails to deliver promised returns, but doesn't lose value

Description

Brief / Intro

The event RestrictionsCreated emitted when creating a new Whitelist restriction uses the wrong owner address.

Vulnerability Details

This issue will mess up with external indexing services or systems that rely on correct data.

RestrictionsFactory.createWhitelistRestrictions (excerpt)
function createWhitelistRestrictions(address admin) external returns (address) {
    // Deploy a fresh implementation
    WhitelistRestrictions implementation = new WhitelistRestrictions();

    // Add the implementation to the whitelist
    FactoryStorage storage fs = _getFactoryStorage();
    bytes32 codeHash = _getCodeHash(address(implementation));
    fs.allowedImplementations[codeHash] = true;

    // Deploy proxy with the fresh implementation
    bytes memory initData =
        abi.encodeWithSelector(WhitelistRestrictions.initialize.selector, admin != address(0) ? admin : msg.sender); // @audit

    address proxy = _deployProxy(address(implementation), initData);

    // Store the mapping
    fs.restrictionsToImplementation[proxy] = address(implementation);

    emit RestrictionsCreated(proxy, msg.sender, address(implementation), "Whitelist"); // @audit
    emit ImplementationWhitelisted(address(implementation));

    return proxy;
}

The contract is created with the admin being either: admin or msg.sender if admin == address(0), however, the event will always emit with msg.sender as the owner.

In the current context, msg.sender as owner means nothing as this information is not stored anywhere. When an admin is set, the msg.sender has no special "access" or role. It is not relevant to emit the event in that way.

Maybe renaming the owner event parameter to admin would also make more sense.

Impact Details

Breaks external systems and emits wrong information. This affects the contract's external interface and data integrity. Many systems in the DeFi ecosystem rely heavily on events for indexing and monitoring.

References

  • https://github.com/immunefi-team/attackathon-plume-network/blob/main/arc/src/restrictions/RestrictionsFactory.sol#L87

Proof of Concept

No PoC provided.

Previous52944 sc high the requestcommisionclaim function can only claim commission on tokens that are currently reward tokensNext50713 sc high deployer s default admin role enables self grant of upgrader role bypassing implementation whitelist

Was this helpful?