Submission Details
Impact:
Likelihood:
Event Spam by Attackers
Description
-
Normal behavior: Events should correspond to meaningful state changes.
-
Issue: Attackers can repeatedly call
set_secretto emitSetNewSecretevents, inflating the blockchain event log unnecessarily.
// Root cause in the codebase
set_secret(attacker1, b"attacker1-secret"); // @> emits event repeatedly without checks
set_secret(attacker2, b"attacker2-secret");
Risk
Likelihood:
-
Any user can spam
set_secret. -
Happens when events are relied upon for analytics or game logic.
Impact:
-
Bloats storage and gas usage.
-
Makes it hard to distinguish meaningful events from spam.
Proof of Concept
#[test(owner = @0xcc, attacker1 = @0x111, attacker2 = @0x222)]
fun test_event_spam(owner: &signer, attacker1: &signer, attacker2: &signer) {
use aptos_framework::account;
use std::debug;
account::create_account_for_test(signer::address_of(owner));
account::create_account_for_test(signer::address_of(attacker1));
account::create_account_for_test(signer::address_of(attacker2));
set_secret(owner, b"owner-secret");
set_secret(attacker1, b"attacker1-secret");
set_secret(attacker2, b"attacker2-secret");
debug::print(&string::utf8(b"event spam success!"));
}
Recommended Mitigation
- event::emit(SetNewSecret {});
+ if (!exists<Vault>(signer::address_of(caller))) {
+ event::emit(SetNewSecret {});
+ }
Rewards breakdown
nSLOC
30This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.