One Shot: Reloaded

First Flight #47
Beginner FriendlyNFT
100 EXP
View results
Submission Details
Impact: low
Likelihood: high
Invalid

Misleading Minter Field in MintRapperEvent

Root + Impact

Description

  • MintRapperEvent should accurately log the minter as the module owner.

  • The specific issue is emitting minter: to (recipient) instead of actual minter (@battle_addr).

// In one_shot.move
//@> event::emit(MintRapperEvent { minter: to, token_id });

Risk

Likelihood: High

  • A mint occurs.

  • Event logs recipient as minter.

Impact: Low

  • Confusion in off-chain tracking or UIs.

  • Misattribution of mint actions.

Proof of Concept

  • Mint to addr: event shows minter as addr, not @battle_addr.

#[test(module_owner = @battle_addr, recipient = @0x123)]
fun test_misleading_minter_event(module_owner: &signer, recipient: &signer) acquires battle_addr::one_shot::Collection, battle_addr::one_shot::RapperStats {
// Setup
battle_addr::one_shot::init_module(module_owner);
// Mint to recipient
battle_addr::one_shot::mint_rapper(module_owner, signer::address_of(recipient));
// Event emitted with minter: recipient, but actual is module_owner
// Demonstrate by inspecting event (in test, assume event listener or assert logic)
// Vulnerability: Off-chain misattribution
}

Recommended Mitigation

- minter: to
+ minter: @battle_addr
Updates

Lead Judging Commences

bube Lead Judge 16 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Incorrect event parameter in `one_shot::mint_rapper` function

The intended behavior is the first argument of the event to be the person who receives the token. Therefore, the event emitts correct arguments. You can see the use of `minter` in the test file: https://github.com/CodeHawks-Contests/2025-09-one-shot-reloaded/blob/b4843930562e6f98468a7ca7c99e2c4e1e71d3d9/tests/one_shot_tests.move#L12

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.