Secret Vault on Aptos

First Flight #46

Beginner FriendlyWallet

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: high

Invalid

Empty Event reduces monitoring and auditability

yo4nn

Empty Event reduces monitoring and auditability

Description

Normally, events are emitted with meaningful fields so that off-chain indexers and applications can react to changes in the contract state (e.g., logging who change the password or when it was updated).
In this contract, the SetNewSecret event is declared without any fields. This makes it impossible for off-chain consumers to identify useful information (such as the sender, the secret identifier, or a timestamp). As a result, the event provides little to no value.

// Root cause in the codebase with @> marks to highlight the relevant section

#[event]

@> struct SetNewSecret has drop, store {

}

Risk

Likelihood: High

This will always occur since the event is defined as empty.

Impact: Low

The event is emitted but does not provide any actionable information.
Off-chain systems cannot distinguish between different secret updates or track meaningful changes.

Proof of Concept

Emit an event by calling set_secret
Count the event emitted with event::emitted_events<SetNewSecret>()
Show that is impossible to access field of event because it is empty

#[test(owner = @0xcc, user = @0x123)]

fun test_empty_event(owner: &signer, user: &signer) {

use aptos_framework::account;

use aptos_framework::event;

use std::string;

use std::vector;

use std::debug;

// Set up test environment

account::create_account_for_test(signer::address_of(owner));

account::create_account_for_test(signer::address_of(user));

// Define a secret and set it (this should emit the SetNewSecret event)

let secret = b"i'm a secret";

set_secret(owner, secret);

// Read emitted events

let events = event::emitted_events<SetNewSecret>();

// Check if at least one event was emitted

assert!(vector::length(&events) > 0, 1);

// Debug print the event to show it's empty (no fields)

let count = vector::length(&events);

debug::print(&string::utf8(b"Empty event data:"));

debug::print(&count);

// NOTE: we cannot access any field because the event struct has none

debug::print(&string::utf8(b"Event struct has 0 fields -> empty event"));

}

Recommended Mitigation

It is recommended to include relevant fields (e.g., owner and timestamp) in the event so that off-chain applications can properly track and audit contract activity.

- struct SetNewSecret has drop, store {

- }

+ struct SetNewSecret has drop, store {

+ owner: address,

+ timestamp: u64,

+ }

Updates

Lead Judging Commences

bube Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Insufficient Data in `SetNewSecret` event

This is an Informational finding. It has no impact on the security of the protocol.

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!