Secret Vault on Aptos
First Flight #46
Beginner FriendlyWallet
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: high
Invalid

Empty Event Structure Provides No Audit Trail for Secret Operations

0xrektified

Description

The SetNewSecret event emitted when secrets are set contains no fields (dummy_field: false is auto-generated), providing zero information about the operation. This makes it impossible to track when secrets were set, by whom, or any other relevant metadata for audit and monitoring purposes.

Root Cause

The event structure is defined without any meaningful fields to capture operation details:

Original Implementation:

#[event]
struct SetNewSecret has drop, store {
// @audit-issue: Empty event provides no useful information
}
public entry fun set_secret(caller:&signer,secret:vector<u8>){
let secret_vault = Vault{secret: string::utf8(secret)};
move_to(caller,secret_vault);
event::emit(SetNewSecret {}); // No data captured
}

Original Event Output (useless):

[debug] [
0xf2def06af10906e4da78ce8c7ab8a4b222e97dfe54af0bb0ab5f7e1a48379e85::vault::SetNewSecret {
dummy_field: false // Auto-generated field with no value
}
]

Risk

Likelihood: High - Occurs on every successful set_secret() call

Impact: Low - Reduces observability and audit capabilities but doesn't affect security or functionality

Impact

  • No audit trail: Cannot determine when secrets were last modified

  • No accountability: Cannot track which account triggered the event

  • Limited monitoring: Cannot build dashboards or alerts based on event data

Proof of Concept

Test demonstrating the improved event implementation:

use std::timestamp;
#[test_only]
use std::debug::print;
#[test(owner = @0xcc, init_addr= @0x1)]
fun test_empty_event_emission(owner: &signer, init_addr: signer) {
use aptos_framework::account;
use std::vector;
timestamp::set_time_has_started_for_testing(&init_addr);
// Set up test environment
account::create_account_for_test(signer::address_of(owner));
// Set a secret to trigger event emission
let secret = b"test secret for event";
set_secret(owner, secret);
// Check if SetNewSecret event was emitted
let events = event::emitted_events<SetNewSecret>();
print(&events);
assert!(vector::length(&events) > 0, 5);
// Verify that the event was emitted with meaningful data
let was_emitted = event::was_event_emitted(&SetNewSecret {
caller: signer::address_of(owner),
timestamp: 0,
});
assert!(was_emitted, 6);
}

After implementing the fix, event output contains valuable information:

[debug] [
0xf2def06af10906e4da78ce8c7ab8a4b222e97dfe54af0bb0ab5f7e1a48379e85::vault::SetNewSecret {
caller: @0xcc, // Now shows who set the secret
timestamp: 0 // Now shows when (0 in test environment)
}
]

Recommended Mitigation

Improved Implementation with Meaningful Event Data:

use std::timestamp;
// events
#[event]
struct SetNewSecret has drop, store {
caller: address, // Who set the secret
timestamp: u64, // When it was set
}
public entry fun set_secret(caller: &signer, secret: vector<u8>) {
let secret_vault = Vault{secret: string::utf8(secret)};
move_to(caller, secret_vault);
event::emit(SetNewSecret {
caller: signer::address_of(caller),
timestamp: timestamp::now_seconds(),
});
}

Test Results After Implementation:

Running Move unit tests
[debug] [
0xf2def06af10906e4da78ce8c7ab8a4b222e97dfe54af0bb0ab5f7e1a48379e85::vault::SetNewSecret {
caller: @0xcc,
timestamp: 0
}
]
[ PASS ] 0xf2def06af10906e4da78ce8c7ab8a4b222e97dfe54af0bb0ab5f7e1a48379e85::vault::test_empty_event_emission

This improvement adds:

  • caller: The address that initiated the secret update for accountability

  • timestamp: When the operation occurred for audit trail

Benefits:

  • Provides complete audit trail of who modified secrets and when

  • Enables monitoring and alerting on secret operations

Updates

Lead Judging Commences

bube Lead Judge 16 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Insufficient Data in `SetNewSecret` event

This is an Informational finding. It has no impact on the security of the protocol.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.