One Shot: Reloaded

Description

In the mint_rapper function, the module emits a MintRapperEvent to notify external observers that a new rapper token has been created.

Expected behaviour:
The minter field of the event should represent the signer authorised to mint — in this case, the module owner (@battle_addr).

Actual behaviour:
The implementation incorrectly assigns the token recipient (to) as the minter. This means event logs will consistently show the wrong party as the originator of the mint.

• Normal behaviour: Events act as the primary source of truth for provenance in token ecosystems, allowing indexers and marketplaces to build accurate histories.

• Issue: Provenance is broken — events claim the token was minted by the recipient rather than the authorised contract owner.

• Impact:

  1. Historical analytics and leaderboards become unreliable.

  2. Marketplaces may incorrectly attribute all mints to end-users instead of the module.

Risk

Likelihood:

• This bug triggers every time a mint occurs.

• It requires no special conditions and is fully reproducible.

Impact:

• Misleading mint history for every token created.

• Off-chain services (indexers, explorers, dApps) lose trust in the module’s data integrity.

Proof of Concept

Proof of Concept

1. Deploy the module

   • Assume the module is published at the address @battle_addr.

   • By design, only this address has the authority to mint new rapper tokens.

2. Mint a new rapper

   • Call the mint_rapper function, passing module_owner = @battle_addr (the signer) and to = 0xCAFE (an arbitrary recipient).

   • Internally, the function mints a new token::Token object, creates associated StatsData, and prepares to emit the MintRapperEvent.

3. Inspect the emitted event

   • On successful execution, the blockchain records a MintRapperEvent.

   • The fields of the event appear as follows:

     • minter = 0xCAFE

     • token_id = <newly created rapper token address>

4. Mismatch in expectations vs. reality

   • At this point, the recipient (0xCAFE) is incorrectly marked as the minter.

   • In reality, @battle_addr was the transaction signer and the only entity authorised to mint.

5. Consequences of the misattribution

   • Any indexer, analytics service, or marketplace that consumes this event will record that 0xCAFE minted the rapper.

   • Over time, this will pollute the provenance history of all rapper tokens, showing recipients as creators even though they had no minting authority.

Recommended Mitigation

Update the event emission to use the actual signer (module owner) rather than the recipient.