RustFund
First Flight #36
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing Event Emissions for Critical Transactions

0xblackadam

Summary

A significant vulnerability exists in the crowdfunding contract due to the complete absence of event emissions for critical state-changing transactions. This omission severely compromises on-chain transparency, makes tracking and auditing difficult, and reduces the contract's overall observability and accountability.

Vulnerability Details

The contract lacks event emissions for key transactions, including:

  • Fund creation

  • Contributions

  • Deadline setting

  • Refunds

  • Fund withdrawals

Critical code sections demonstrate the complete absence of event logging:

pub fn fund_create(ctx: Context<FundCreate>, name: String, description: String, goal: u64) -> Result<()> {
let fund = &mut ctx.accounts.fund;
// No event emitted for fund creation
fund.name = name;
fund.description = description;
// ... other initializations
Ok(())
}
pub fn contribute(ctx: Context<FundContribute>, amount: u64) -> Result<()> {
// No event emitted for contribution
fund.amount_raised += amount;
Ok(())
}

Impact

The vulnerability creates severe consequences:

  • Difficulty in tracking fund lifecycle

  • Challenges in external system integration

  • Reduced ability to monitor suspicious activities

  • Increased complexity for blockchain explorers

  • Diminished user confidence in the platform

  • Compromised compliance and reporting capabilities

Potential scenarios include:

  • Unable to track individual contributions

  • No record of fund creation or closure

  • Difficulty in verifying transaction history

  • Challenges in creating external dashboards or analytics

Recommendations

Immediate and comprehensive recommendations include:

  1. Implement Comprehensive Event Emissions

// Example event emission structure
#[event]
pub struct FundCreatedEvent {
pub fund_name: String,
pub creator: Pubkey,
pub goal: u64,
pub timestamp: i64
}
#[event]
pub struct ContributionEvent {
pub fund: Pubkey,
pub contributor: Pubkey,
pub amount: u64,
pub timestamp: i64
}
pub fn fund_create(ctx: Context<FundCreate>, name: String, description: String, goal: u64) -> Result<()> {
// Existing fund creation logic
// Emit event for fund creation
emit!(FundCreatedEvent {
fund_name: name,
creator: ctx.accounts.creator.key(),
goal,
timestamp: Clock::get()?.unix_timestamp
});
Ok(())
}
pub fn contribute(ctx: Context<FundContribute>, amount: u64) -> Result<()> {
// Existing contribution logic
// Emit contribution event
emit!(ContributionEvent {
fund: fund.key(),
contributor: ctx.accounts.contributor.key(),
amount,
timestamp: Clock::get()?.unix_timestamp
});
Ok(())
}

  1. Create Events for All Critical Transactions

  • Fund creation

  • Contributions

  • Deadline setting

  • Refunds

  • Withdrawals

  1. Include Comprehensive Event Details

  • Timestamp of transaction

  • Involved parties

  • Transaction amounts

  • Relevant account states

Tools Used

  • Manual code review

  • Static code analysis

  • Manual technical inspection

Updates

Appeal created

bube Lead Judge 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.