Root + Impact
Description
The protocol lacks comprehensive event emission for critical state changes, making it difficult to track protocol activity off-chain. Missing events include CRED token minting, NFT ownership transfers, and staking reward distributions.
The mint function and other state-changing operations don't emit events, preventing off-chain monitoring and historical analysis of protocol activity.
@> public(friend) fun mint(
@> module_owner: &signer,
@> to: address,
@> amount: u64
@> ) acquires CredCapabilities {
@> let caps = borrow_global<CredCapabilities>(signer::address_of(module_owner));
@> let coins = coin::mint<CRED>(amount, &caps.mint_cap);
@> if (coin::is_account_registered<CRED>(to)) {
@> coin::deposit(to, coins);
@> } else {
@> coin::destroy_zero(coins);
@> };
@> }
Risk
Likelihood:
Impact:
Difficult off-chain tracking and monitoring
Limited historical analysis capabilities
Reduced transparency for users and auditors
Proof of Concept
This PoC demonstrates the lack of event emission across critical operations:
cred_token::mint(&module_owner, user_address, 1000);
one_shot::mint_rapper(&module_owner, user_address);
streets::stake(&user, token_object);
rap_battle::go_on_stage_or_battle(&user, token, 100);
Recommended Mitigation
The mitigation adds comprehensive event emission for all critical operations:
+ #[event]
+ struct MintEvent has drop, store {
+ to: address,
+ amount: u64,
+ timestamp: u64,
+ }
+
+ #[event]
+ struct StakedEvent has drop, store {
+ owner: address,
+ token_id: address,
+ start_time: u64,
+ bet_amount: u64,
+ }
+
+ #[event]
+ struct BattleResultEvent has drop, store {
+ defender: address,
+ challenger: address,
+ winner: address,
+ prize_amount: u64,
+ timestamp: u64,
+ }
+
public(friend) fun mint(
module_owner: &signer,
to: address,
amount: u64
) acquires CredCapabilities {
let caps = borrow_global<CredCapabilities>(signer::address_of(module_owner));
let coins = coin::mint<CRED>(amount, &caps.mint_cap);
+ event::emit(MintEvent { to, amount, timestamp: timestamp::now_seconds() });
+
if (coin::is_account_registered<CRED>(to)) {
coin::deposit(to, coins);
} else {
coin::destroy_zero(coins);
};
}
+
+ // Add similar events for all state-changing operations
+ // streets::stake() -> emit StakedEvent
+ // streets::unstake() -> emit UnstakedEvent with rewards
+ // rap_battle::go_on_stage_or_battle() -> emit BattleResultEvent
This mitigation adds comprehensive event logging that enables off-chain monitoring, historical analysis, and improved transparency for all protocol operations.