Lack of event emissions for configuration changes
Description
Compared to the upstream, this project adds a few significant admin-only configuration change functions, such as these:
function updateLiquidateWhiteList(address user, bool state) public {
require(msg.sender == admin, "Unauthorized");
if (state) {
require(!liquidatorWhiteList[user], "User is already in the white list");
}
liquidatorWhiteList[user] = state;
// No event emission
}
function triggerLiquidation(bool state) public returns (bool) {
require(msg.sender == pauseGuardian || msg.sender == admin, "only pause guardian and admin can pause");
require(msg.sender == admin || state == true, "only admin can unpause");
liquidatable = state;
// No event emission
return state;
}
For DeFi protocols, it is common practice to emit events when significant configuration parameters are changed by the protocol admin. Event logging is essential for tracking state changes and maintaining transparency within the protocol. The absence of event emission makes it more difficult for off-chain automation and end users to monitor changes in the configuration.
Impact
Recommendations
We recommend adding event emissions to the functions that change the protocol's configuration. Specifically, we believe these functions in these contracts should have associated events:
In Comptroller,
updateLiquidateWhiteList()
,triggerLiquidation()
,_setBlackList()
, and_setProtocalPaused()
In CompositeOracle,
setL2Aggregators()
This will help to maintain transparency and allow off-chain systems to monitor changes.
Remediation
This issue has been acknowledged by Takara Lend, and a fix was implemented in commit 6ef5c868↗.