Skip to content

Latest commit

 

History

History
53 lines (28 loc) · 1.48 KB

013.md

File metadata and controls

53 lines (28 loc) · 1.48 KB

Prehistoric Rosewood Goose

Medium

[M-1] Incorrect Variable Name in Event May Lead to Misinterpretation and Audit Risks in Future

Summary

In the "BidClaimed" event, the 3rd parameter should be "buyReserveAmount" not "sellCouponAmount".

https://github.com/sherlock-audit/2024-12-plaza-finance/blob/main/plaza-evm/src/Auction.sol#L59

The naming discrepancy can mislead developers and auditors, as the emitted event in the "claimBid()" function (line 356) correctly uses "bidInfo.buyReserveAmount".

Root Cause

No response

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

No response

Impact

Usability: Developers may misinterpret the purpose of the variable, leading to incorrect assumptions and potential bugs during feature implementation or debugging.

Audit Risk: Incorrect variable name in event logs could result in incorrect interpretations of recorded transactions.

PoC

Emission of the event in the "claimBid()" function (Auction.sol line 356) uses "bidInfo.buyReserveAmount" as expected

https://github.com/sherlock-audit/2024-12-plaza-finance/blob/main/plaza-evm/src/Auction.sol#L356-L365

Mitigation

Change the 3rd parameter name from "sellCouponAmount" to "buyReserveAmount"

// Auction.sol, #59
-  event BidClaimed(uint256 indexed bidIndex, address indexed bidder, uint256 sellCouponAmount);
+  event BidClaimed(uint256 indexed bidIndex, address indexed bidder, uint256 buyReserveAmount);