Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Event Logging, become difficult when debugging and monitoring

markomarko

Summary

The contract lacks event emission for critical state changes. Events are essential for tracking contract activity, debugging, and off-chain indexing.

Vulnerability Details

  1. The EggstravaganzaNFT::setGameContract function updates EggstravaganzaNFT::gameContract variable without emitting an event:

/// @notice Only the owner can set the game contract allowed to mint eggs.
function setGameContract(address _gameContract) external onlyOwner {
require(_gameContract != address(0), "Invalid game contract address");
@> gameContract = _gameContract;
}

  1. The EggstravaganzaNFT::mintEgg function mints an NFT but does not log the event:

/// @notice Public function to mint a new Eggstravaganza NFT.
/// Only the approved game contract can mint eggs.
function mintEgg(address to, uint256 tokenId) external returns (bool) {
require(msg.sender == gameContract, "Unauthorized minter");
_mint(to, tokenId);
@> totalSupply += 1;
return true;
}

  1. The EggVault::setEggNFT function set the NFT contract address without emitting an event:

/// @notice Set the NFT contract address.
function setEggNFT(address _eggNFTAddress) external onlyOwner {
require(_eggNFTAddress != address(0), "Invalid NFT address");
@> eggNFT = EggstravaganzaNFT(_eggNFTAddress);
}

  1. The EggHuntGame::setEggFindThreshold function set the new find threshold without emitting an event:

function setEggFindThreshold(uint256 newThreshold) external onlyOwner {
require(newThreshold <= 100, "Threshold must be <= 100");
@> eggFindThreshold = newThreshold;
}

Impact

  1. Debugging and monitoring become difficult without transaction logs

  2. Reduced transparency and observability in contract execution

Tools Used

  1. Foundry

  2. Aderyn

Recommendations

Introduce event logging for critical state changes to improve contract transparency and traceability. Modify the functions to emit these events and add the following event declarations:

  1. src/EggstravaganzaNFT.sol:

+ event GameContractUpdated(address indexed newGameContract);
+ event EggMinted(address indexed to, uint256 indexed tokenId);
.
.
.
/// @notice Only the owner can set the game contract allowed to mint eggs.
function setGameContract(address _gameContract) external onlyOwner {
require(_gameContract != address(0), "Invalid game contract address");
gameContract = _gameContract;
+ emit GameContractUpdated(_gameContract);
}
/// @notice Public function to mint a new Eggstravaganza NFT.
/// Only the approved game contract can mint eggs.
function mintEgg(address to, uint256 tokenId) external returns (bool) {
require(msg.sender == gameContract, "Unauthorized minter");
_mint(to, tokenId);
totalSupply += 1;
+ emit EggMinted(to, tokenId);
return true;
}

  1. src/EggVault.sol:

+ event EggNFTSet(address indexed newEggNFT);
/// @notice Set the NFT contract address.
function setEggNFT(address _eggNFTAddress) external onlyOwner {
require(_eggNFTAddress != address(0), "Invalid NFT address");
eggNFT = EggstravaganzaNFT(_eggNFTAddress);
+ emit EggNFTSet(_eggNFTAddress);
}

  1. src/EggHuntGame.sol:

+ event EggFindThresholdUpdated(uint256 newThreshold);
.
.
.
function setEggFindThreshold(uint256 newThreshold) external onlyOwner {
require(newThreshold <= 100, "Threshold must be <= 100");
eggFindThreshold = newThreshold;
+ emit EggFindThresholdUpdated(newThreshold);
}
Updates

Lead Judging Commences

m3dython Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Event Emission

Standard practice for clarifying important contract behaviors

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.