Tadle

Summary

In the createMarketPlace function, the event CreateMarketPlaceInfo is emitted with the marketPlaceName string marked as indexed. However, according to Solidity documentation, when a non-value type like a string is indexed in an event, a Keccak-256 hash of the value is stored instead of the actual string. This results in the marketPlaceName being lost in the event data, leading to potential integration issues and increased complexity for users and front-end developers.

Note: This is the same for marketPlaceName in event UpdateMarket.

Vulnerability Details

In the createMarketPlace function, the event CreateMarketPlaceInfo is emitted as follows:

The CreateMarketPlaceInfo event is defined as:

It is noted that string marketPlaceName is indexed.

Here, the marketPlaceName is indexed, which, according to the Solidity documentation, means that instead of storing the string directly, a Keccak-256 hash of the string is stored. Consequently, the actual marketPlaceName is lost in the event emission.

This introduces several problems:

1. Data Loss: The actual marketPlaceName is not directly retrievable from the event logs.

2. Increased Complexity: Users and front-end developers must hash all known marketPlaceName strings and compare them with the emitted hash to determine the original value. This adds unnecessary complexity and workload.

Impact

The data loss of marketPlaceName in the emitted event could lead to difficulties in integrating with the contract, as the original string is not directly accessible from the event logs. Although it’s possible to

NOTE:
Similar issues are also marked as Valid/Low in the following:

1. Staking Event Emits Public Key In Hashed Form

2. L-01 : The indexed Keyword in Events Causes Data Loss for Variables of type bytes

3. ...

Tools Used

Manual, Solidity DOC

Recommendations

To mitigate this issue, it is recommended to remove the indexed keyword for marketPlaceName.