Secret Vault on Aptos

First Flight #46

Beginner FriendlyWallet

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: high

Invalid

Empty Events Provide No Information for Off-Chain Monitoring

r4y4n3

Root + Impact

Description

Normal Behavior

Events should provide meaningful information to enable off-chain applications to monitor contract activity, track user actions, and build comprehensive audit trails.

Issue

The SetNewSecret event contains no fields, making it completely useless for off-chain monitoring. When multiple users set secrets, there's no way to distinguish between events, identify which user performed the action, or correlate events with specific operations.

#[event]

struct SetNewSecret has drop, store {

// ❌ No fields - completely empty event

}

public entry fun set_secret(caller:&signer,secret:vector<u8>){

// ...

event::emit(SetNewSecret {}); // @> Emits empty event

}

Risk

Likelihood:

Every set_secret call emits an empty event
Off-chain applications cannot distinguish between events
100% of events provide no useful information

Impact:

No monitoring capability: Off-chain apps cannot track secret operations
Poor audit trails: Cannot correlate events to specific users or actions
Development friction: Developers cannot build meaningful integrations
Debugging difficulty: No event-based debugging or analysis possible
Missing analytics: Cannot track usage patterns or user behavior

Proof of Concept

The following test demonstrates the empty event vulnerability:

#[test(user1 = @0x777, user2 = @0x778, user3 = @0x779)]

fun test_empty_event_vulnerability(user1: &signer, user2: &signer, user3: &signer) {

// Multiple users set secrets

set_secret(user1, b"user1_secret");

set_secret(user2, b"user2_secret");

set_secret(user3, b"user3_secret");

// 3 SetNewSecret events were emitted

// But they contain ZERO information:

// - No owner address

// - No secret hash/digest

// - No timestamp

// - No metadata

}

Recommended Mitigation

Add meaningful fields to the event:

#[event]

struct SetNewSecret has drop, store {

+ owner: address, // Who set the secret

+ secret_hash: vector<u8>, // Hash of secret for verification

+ timestamp: u64, // When the secret was set

+ size: u64, // Size of the secret data

}

public entry fun set_secret(caller:&signer,secret:vector<u8>){

+ use aptos_framework::timestamp;

+ use aptos_std::crypto_algebra;

let secret_vault = Vault{secret: string::utf8(secret)};

move_to(caller,secret_vault);

- event::emit(SetNewSecret {});

+ event::emit(SetNewSecret {

+ owner: signer::address_of(caller),

+ secret_hash: crypto_algebra::sha3_256(secret),

+ timestamp: timestamp::now_seconds(),

+ size: vector::length(&secret),

+ });

}

Updates

Lead Judging Commences

bube Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Insufficient Data in `SetNewSecret` event

This is an Informational finding. It has no impact on the security of the protocol.

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!