Rock Paper Scissors
First Flight #38
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Admin Role Transfer Without Event Emission

linxun

Summary

The setAdmin() function in the RockPaperScissors contract changes the admin address state variable but does not emit an event when this critical role transfer occurs. This reduces on-chain transparency and makes it difficult for external systems to monitor administrative changes.

Vulnerability Details

When the admin role is transferred to a new address using the setAdmin() function, the state change occurs but no event is emitted to signal this important change. Administrative role changes should always be accompanied by events to maintain a clear audit trail of contract governance.

function setAdmin(address _newAdmin) external {
require(msg.sender == adminAddress, "Only admin can set new admin");
require(_newAdmin != address(0), "Admin cannot be zero address");
adminAddress = _newAdmin;
// No event is emitted here
}

The absence of an event for this administrative change makes it difficult for off-chain monitoring systems to track changes in contract governance and reduces transparency for users and stakeholders.

Impact

This issue affects the contract's transparency and auditability, making it difficult to track administrative changes through on-chain data. While it doesn't directly lead to fund loss, it reduces the ability to monitor potential security-related changes and complicates governance oversight.

The impact is considered low because:

  • It doesn't directly affect contract functionality or security

  • It doesn't put user funds at risk

  • It's primarily an issue of transparency and best practices

Tools Used

Manual review

Recommendations

Add an event emission when the admin role is transferred:

// Add event declaration
event AdminTransferred(address indexed previousAdmin, address indexed newAdmin);
function setAdmin(address _newAdmin) external {
require(msg.sender == adminAddress, "Only admin can set new admin");
require(_newAdmin != address(0), "Admin cannot be zero address");
address oldAdmin = adminAddress;
adminAddress = _newAdmin;
// Emit event after state change
emit AdminTransferred(oldAdmin, _newAdmin);
}

This change follows the pattern used in OpenZeppelin's Ownable contract and significantly improves transparency around administrative changes.

Updates

Appeal created

m3dython Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational

Code suggestions or observations that do not pose a direct security risk.

m3dython Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational

Code suggestions or observations that do not pose a direct security risk.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.