Mystery Box

First Flight #25

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Event Emission in MysteryBox Contract

invcbull

Summary

The contract currently does not emit any events when important actions, such as box purchases, reward claims, or withdrawals, take place. Event emission is critical for logging and off-chain tracking by dApps, wallets, and analytics services, ensuring transparency and traceability for users and developers.

Vulnerability Details

The MysteryBox contract does not emit event in any of it's function implementation.

In Solidity, events play a pivotal role in providing a log of significant contract interactions that can be easily tracked off-chain. Without the inclusion of these events, users, developers, and external services will find it challenging to monitor key activities such as when a user purchases a box, opens it, claims rewards, or when the owner withdraws funds from the contract. This lack of event emission can hinder the ability to trace the contract’s activity and debug potential issues, reducing overall transparency and user trust in the system.

Impact

The absence of event logs can result in user frustration and reduced trust in the contract due to the lack of visibility into their interactions.

Without events, the contract lacks transparency, making it difficult for users, developers, and third-party services to track important actions like box purchases, reward claims, and fund withdrawals. This leads to challenges in monitoring, auditing, and off-chain integration, while also complicating debugging.

Event emission is important for ensuring clear, transparent, and easily trackable contract activity

Tools Used

Manual Review

Recommendations

I recommend you consider emitting events for the following critical actions:

When a user purchases a mystery box (buyBox()).
When a user opens a box and wins a reward (openBox()).
When a user claims all of their rewards (claimAllRewards()).
When a user claims a single reward (claimSingleReward()).
When the owner withdraws funds from the contract (withdrawFunds()).

By doing this, contract interactions will be traceable and easier to monitor, improving both the user experience and debugging process.

Updates

Appeal created

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.