Omniscia Euler Finance Audit
BorrowUtils Manual Review Findings
BorrowUtils Manual Review Findings
BUS-01M: Improper Event Emittance
| Type | Severity | Location |
|---|---|---|
| Standard Conformity |  | BorrowUtils.sol:L93, L94 |
Description:
The BorrowUtils::transferBorrow function will emit two events when performing a transfer of debt from one account to another, both of which will either originate or end at the zero-address indicating mint or burn operations respectively.
These data points will be obfuscated off-chain as the borrow change of both the from and to account will encompass any uncaptured interest, rendering off-chain evaluation of the actual amount transferred computationally expensive and reliant on historical data.
Impact:
As the impact would be purely observable off-chain and for potential integrators, we consider this exhibit to be informational in nature.
Example:
70function transferBorrow(VaultCache memory vaultCache, address from, address to, Assets assets) internal {71 Owed amount = assets.toOwed();72
73 (Owed fromOwed, Owed fromOwedPrev) = updateUserBorrow(vaultCache, from);74 (Owed toOwed, Owed toOwedPrev) = updateUserBorrow(vaultCache, to);75
76 // If amount was rounded up, or dust is left over, transfer exact amount owed77 if ((amount > fromOwed && (amount - fromOwed).isDust()) || (amount < fromOwed && (fromOwed - amount).isDust()))78 {79 amount = fromOwed;80 }81
82 if (amount > fromOwed) revert E_InsufficientBalance();83
84 unchecked {85 fromOwed = fromOwed - amount;86 }87
88 toOwed = toOwed + amount;89
90 vaultStorage.users[from].setOwed(fromOwed);91 vaultStorage.users[to].setOwed(toOwed);92
93 logBorrowChange(from, fromOwedPrev, fromOwed);94 logBorrowChange(to, toOwedPrev, toOwed);95}Recommendation:
We advise the code to emit events that synchronize the latest borrow balance, and then emit an event actually signifying the transfer of balance thus greatly aiding off-chain services in parsing the Euler Finance debt-related events.
Alleviation (fb2dd77a6f):
The Euler Finance team specified that they alleviated this exhibit in their response document, however, it appears to remain open in the final commit hash and may have been lost in between commits.
We attempted to identify a fix for this finding within the commit history of the PR supplied to us, however, we did not find any commit hash's name to signify a fix for this exhibit.
As the Euler Finance team intended to alleviate it, we advise them to revisit this exhibit as it remains open.
Alleviation (0f2192ac81):
The Euler Finance team clarified that the exhibit had been properly addressed in the original iteration of the final report albeit via changes at a different contract.
The Borrowing::transferBorrow function is invoked in two scenarios; a liquidation (Liquidation::liquidate) and a debt pull (Borrowing::pullDebt). The Euler Finance team identified that the liquidation execution path already emitted the debt transferred, and thus proceeded to introduce a PullDebt event to the Borrowing::pullDebt function as a gas optimal alleviation to this exhibit.
In light of this clarification, we consider this exhibit originally alleviated in the previous commit and thus addressed in the latest one as well.