search
Active Boosts

#35768 [SC-Insight] `Market.set_pyth_contract_id` should emit an event

Submitted on Oct 7th 2024 at 09:43:53 UTC by @jasonxiale for IOP | Swaylendarrow-up-right

  • Report ID: #35768

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/Swaylend/swaylend-monorepo/blob/develop/contracts/market/src/main.sw

  • Impacts:

    • Contract fails to deliver promised returns, but doesn't lose value

hashtag
Description

hashtag
Brief/Intro

While changing the system configuration, an event should be emitted. `Market.set_pyth_contract_id` is used to change `Pyth contract`. Because Pyth is an important factor in the system, so an event should be emitted.

hashtag
Vulnerability Details

As shown in the following codearrow-up-right, there is not event emitted ```Rust 941 // # 10. Pyth Oracle management 942 #[storage(write)] 943 fn set_pyth_contract_id(contract_id: ContractId) { 944 // Only owner can set the Pyth contract ID 945 only_owner(); 946 storage.pyth_contract_id.write(contract_id); <<<--- event should be emitted 947 } ```

hashtag
Impact Details

Information about the Pyth is changed will be missing.

hashtag
References

Add any relevant links to documentation or code

hashtag
Proof of Concept

hashtag
Proof of Concept

As shown in the following codearrow-up-right, there is not event emitted ```Rust 941 // # 10. Pyth Oracle management 942 #[storage(write)] 943 fn set_pyth_contract_id(contract_id: ContractId) { 944 // Only owner can set the Pyth contract ID 945 only_owner(); 946 storage.pyth_contract_id.write(contract_id); <<<--- event should be emitted 947 } ```

Previous#35732 [SC-Low] Withdrawals can not be paused which could lead to protocol insolvency in case of issNext#35831 [SC-High] By bypassing base_borrow_min limitation borrows can create inabsorbable loans

Last updated

Was this helpful?