• ID: PVE-007

• Severity: Low

• Likelihood: Low

• Impact: Low

• Target: RegistrarController

• Category: Coding Practices [7]

• CWE subcategory: CWE-1041 [1]

Description

In Ethereum, the event is an indispensable part of a contract and is mainly used to record a variety of runtime dynamics. In particular, when an event is emitted, it stores the arguments passed in transaction logs and these logs are made accessible to external analytics and reporting tools. Events can be emitted in a number of scenarios. One particular case is when system-wide parameters or settings are being changed. Another case is when tokens are being minted, transferred, or burned.

In the following, we use the UserRegistrarControllerWallet contract as an example. This contract has public functions that are used to renew names at fixed cost. While examining the events that reflect the renew operation, we notice the emitted important event NameRenewed needs to reflect important state changes. Specifically, when the event should reflect the actual cost price, not the msg.value amount (line 230).

function renew (
string calldata name , uint256 duration
) external payable override {
bytes32 labelhash = keccak 256 (bytes (name)); uint256 token Id = uint256 ( labelhash );
uint256 price = rent Price ( name,duration,address (0) ); if ( msg.value < price ) {
revert Insufficient Value ();
}
uint256 expires = name Wrapper . renew ( tokenId , duration );

if(msg.value>price){ payable ( msg.sender ). transfer (msg.value - price );
}

emit Name Renewed ( name, labelhash , msg.value , expires );

Recommendation

Properly emit the respective event when a name is renewed. The issue has been fixed by this commit: f84caf4.