In the mint_rapper
function, the module emits a MintRapperEvent
to notify external observers that a new rapper token has been created.
Expected behaviour:
The minter
field of the event should represent the signer authorised to mint — in this case, the module owner (@battle_addr
).
Actual behaviour:
The implementation incorrectly assigns the token recipient (to
) as the minter
. This means event logs will consistently show the wrong party as the originator of the mint.
Normal behaviour: Events act as the primary source of truth for provenance in token ecosystems, allowing indexers and marketplaces to build accurate histories.
Issue: Provenance is broken — events claim the token was minted by the recipient rather than the authorised contract owner.
Impact:
Historical analytics and leaderboards become unreliable.
Marketplaces may incorrectly attribute all mints to end-users instead of the module.
Likelihood:
This bug triggers every time a mint occurs.
It requires no special conditions and is fully reproducible.
Impact:
Misleading mint history for every token created.
Off-chain services (indexers, explorers, dApps) lose trust in the module’s data integrity.
Deploy the module
Assume the module is published at the address @battle_addr
.
By design, only this address has the authority to mint new rapper tokens.
Mint a new rapper
Call the mint_rapper
function, passing module_owner = @battle_addr
(the signer) and to = 0xCAFE
(an arbitrary recipient).
Internally, the function mints a new token::Token
object, creates associated StatsData
, and prepares to emit the MintRapperEvent
.
Inspect the emitted event
On successful execution, the blockchain records a MintRapperEvent
.
The fields of the event appear as follows:
minter = 0xCAFE
token_id = <newly created rapper token address>
Mismatch in expectations vs. reality
At this point, the recipient (0xCAFE
) is incorrectly marked as the minter.
In reality, @battle_addr
was the transaction signer and the only entity authorised to mint.
Consequences of the misattribution
Any indexer, analytics service, or marketplace that consumes this event will record that 0xCAFE
minted the rapper.
Over time, this will pollute the provenance history of all rapper tokens, showing recipients as creators even though they had no minting authority.
Update the event emission to use the actual signer (module owner) rather than the recipient.
The intended behavior is the first argument of the event to be the person who receives the token. Therefore, the event emitts correct arguments. You can see the use of `minter` in the test file: https://github.com/CodeHawks-Contests/2025-09-one-shot-reloaded/blob/b4843930562e6f98468a7ca7c99e2c4e1e71d3d9/tests/one_shot_tests.move#L12
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.