Description

Compared to the upstream, this project adds a few significant admin-only configuration change functions, such as these:

function updateLiquidateWhiteList(address user, bool state) public {
    require(msg.sender == admin, "Unauthorized");

    if (state) {
        require(!liquidatorWhiteList[user], "User is already in the white list");
    }

    liquidatorWhiteList[user] = state;
    // No event emission
}

function triggerLiquidation(bool state) public returns (bool) {
    require(msg.sender == pauseGuardian || msg.sender == admin, "only pause guardian and admin can pause");
    require(msg.sender == admin || state == true, "only admin can unpause");

    liquidatable = state;
    // No event emission
    return state;
}

For DeFi protocols, it is common practice to emit events when significant configuration parameters are changed by the protocol admin. Event logging is essential for tracking state changes and maintaining transparency within the protocol. The absence of event emission makes it more difficult for off-chain automation and end users to monitor changes in the configuration.

Impact

Recommendations

We recommend adding event emissions to the functions that change the protocol's configuration. Specifically, we believe these functions in these contracts should have associated events:

• In Comptroller, updateLiquidateWhiteList(), triggerLiquidation(), _setBlackList(), and _setProtocalPaused()

• In CompositeOracle, setL2Aggregators()

This will help to maintain transparency and allow off-chain systems to monitor changes.

Remediation

This issue has been acknowledged by Takara Lend, and a fix was implemented in commit 6ef5c868↗.