One Shot: Reloaded

First Flight #47
Beginner FriendlyNFT
100 EXP
View results
Submission Details
Impact: medium
Likelihood: medium
Invalid

Event Misattribution in MintRapperEvent

Description

In the mint_rapper function, the module emits a MintRapperEvent to notify external observers that a new rapper token has been created.

Expected behaviour:
The minter field of the event should represent the signer authorised to mint — in this case, the module owner (@battle_addr).

Actual behaviour:
The implementation incorrectly assigns the token recipient (to) as the minter. This means event logs will consistently show the wrong party as the originator of the mint.

// Inside mint_rapper
event::emit(MintRapperEvent {
- minter: to, // @> Incorrect: recipient is labelled as minter
token_id
});
  • Normal behaviour: Events act as the primary source of truth for provenance in token ecosystems, allowing indexers and marketplaces to build accurate histories.

  • Issue: Provenance is broken — events claim the token was minted by the recipient rather than the authorised contract owner.

  • Impact:

    1. Historical analytics and leaderboards become unreliable.

    2. Marketplaces may incorrectly attribute all mints to end-users instead of the module.

Risk

Likelihood:

  • This bug triggers every time a mint occurs.

  • It requires no special conditions and is fully reproducible.

Impact:

  • Misleading mint history for every token created.

  • Off-chain services (indexers, explorers, dApps) lose trust in the module’s data integrity.

Proof of Concept


Proof of Concept

  1. Deploy the module

    • Assume the module is published at the address @battle_addr.

    • By design, only this address has the authority to mint new rapper tokens.

  2. Mint a new rapper

    • Call the mint_rapper function, passing module_owner = @battle_addr (the signer) and to = 0xCAFE (an arbitrary recipient).

    • Internally, the function mints a new token::Token object, creates associated StatsData, and prepares to emit the MintRapperEvent.

  3. Inspect the emitted event

    • On successful execution, the blockchain records a MintRapperEvent.

    • The fields of the event appear as follows:

      • minter = 0xCAFE

      • token_id = <newly created rapper token address>

  4. Mismatch in expectations vs. reality

    • At this point, the recipient (0xCAFE) is incorrectly marked as the minter.

    • In reality, @battle_addr was the transaction signer and the only entity authorised to mint.

  5. Consequences of the misattribution

    • Any indexer, analytics service, or marketplace that consumes this event will record that 0xCAFE minted the rapper.

    • Over time, this will pollute the provenance history of all rapper tokens, showing recipients as creators even though they had no minting authority.



Recommended Mitigation

Update the event emission to use the actual signer (module owner) rather than the recipient.

- event::emit(MintRapperEvent { minter: to, token_id });
+ event::emit(MintRapperEvent { minter: signer::address_of(module_owner), token_id });- remove this code
Updates

Lead Judging Commences

bube Lead Judge 16 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Incorrect event parameter in `one_shot::mint_rapper` function

The intended behavior is the first argument of the event to be the person who receives the token. Therefore, the event emitts correct arguments. You can see the use of `minter` in the test file: https://github.com/CodeHawks-Contests/2025-09-one-shot-reloaded/blob/b4843930562e6f98468a7ca7c99e2c4e1e71d3d9/tests/one_shot_tests.move#L12

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.