Mystery Box

First Flight #25

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Events for Critical State Changes

ahamedaathal

Summary

The contract does not emit events for critical state changes such as box purchases, box openings, reward additions, and ownership transfers. This omission hampers transparency, auditing, and the ability to track contract interactions effectively.

Vulnerability Details

In the MysteryBox.sol contract, critical functions do not emit events to log state changes. For example:

buyBox does not emit an event when a box is purchased.
openBox does not emit an event when a box is opened and a reward is granted.
addReward does not emit an event when a new reward is added.
changeOwner does not emit an event when ownership is transferred.

Impact

this reduces the contract's transparency and makes it more difficult to audit and monitor activities. Users and developers may find it challenging to track actions performed within the contract, leading to a lack of accountability and trust.

Tools Used

Manual code review

Recommendations

Implement event emissions for all critical state-changing functions to enhance transparency and facilitate easier monitoring and auditing.

Example event declarations and emissions:

// Event declarations

event BoxPurchased(address indexed buyer, uint256 amount);

event BoxOpened(address indexed opener, string rewardName, uint256 rewardValue);

event RewardAdded(string name, uint256 value);

event OwnerChanged(address indexed previousOwner, address indexed newOwner);

// buyBox function with event emission

function buyBox() public payable {

require(msg.value == boxPrice, "Incorrect ETH sent");

boxesOwned[msg.sender] += 1;

emit BoxPurchased(msg.sender, 1);

}

// openBox function with event emission

function openBox() public {

require(boxesOwned[msg.sender] > 0, "No boxes to open");

uint256 randomValue = uint256(

keccak256(abi.encodePacked(block.timestamp, msg.sender))

) % 100;

Reward memory reward;

if (randomValue < 75) {

reward = Reward("Coal", 0 ether);

} else if (randomValue < 95) {

reward = Reward("Bronze Coin", 0.1 ether);

} else if (randomValue < 99) {

reward = Reward("Silver Coin", 0.5 ether);

} else {

reward = Reward("Gold Coin", 1 ether);

}

rewardsOwned[msg.sender].push(reward);

boxesOwned[msg.sender] -= 1;

emit BoxOpened(msg.sender, reward.name, reward.value);

}

// addReward function with event emission

function addReward(string memory _name, uint256 _value) public {

require(msg.sender == owner, "Only owner can add rewards");

rewardPool.push(Reward(_name, _value));

emit RewardAdded(_name, _value);

}

// changeOwner function with event emission

function changeOwner(address _newOwner) public {

require(msg.sender == owner, "Only owner can change ownership");

require(_newOwner != address(0), "Invalid new owner");

emit OwnerChanged(owner, _newOwner);

owner = _newOwner;

}

By emitting these events, the contract provides a transparent and easily accessible log of essential actions, facilitating better user experience and smoother auditing processes.

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!