One Shot: Reloaded
First Flight #48
Beginner FriendlyNFT
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: high
Invalid

[L-01] Lack of Event Emission for Important State Changes

agilegypsy

Root + Impact

Description

The protocol lacks comprehensive event emission for critical state changes, making it difficult to track protocol activity off-chain. Missing events include CRED token minting, NFT ownership transfers, and staking reward distributions.

The mint function and other state-changing operations don't emit events, preventing off-chain monitoring and historical analysis of protocol activity.

// In cred_token.move - No mint events
@> public(friend) fun mint(
@> module_owner: &signer,
@> to: address,
@> amount: u64
@> ) acquires CredCapabilities {
@> let caps = borrow_global<CredCapabilities>(signer::address_of(module_owner));
@> let coins = coin::mint<CRED>(amount, &caps.mint_cap);
@> if (coin::is_account_registered<CRED>(to)) {
@> coin::deposit(to, coins);
@> } else {
@> coin::destroy_zero(coins);
@> };
@> }

Risk

Likelihood:

  • Every state change lacks event emission across multiple modules

  • Missing events affect all users and operations

Impact:

  • Difficult off-chain tracking and monitoring

  • Limited historical analysis capabilities

  • Reduced transparency for users and auditors

Proof of Concept

This PoC demonstrates the lack of event emission across critical operations:

// Demonstrate missing events across multiple operations
// 1. Token minting without events
cred_token::mint(&module_owner, user_address, 1000);
// No event emitted - off-chain systems cannot track this minting
// 2. NFT minting without transfer events
one_shot::mint_rapper(&module_owner, user_address);
// No event for NFT creation or ownership tracking
// 3. Staking without reward events
streets::stake(&user, token_object);
// Later: streets::unstake(&user, &module_owner, token_object);
// No event for rewards distributed
// 4. Battle outcomes without result events
rap_battle::go_on_stage_or_battle(&user, token, 100);
// No event for battle outcome or winner
// Result: Complete lack of transparency for off-chain systems
// Users cannot track their assets or rewards historically

Recommended Mitigation

The mitigation adds comprehensive event emission for all critical operations:

+ #[event]
+ struct MintEvent has drop, store {
+ to: address,
+ amount: u64,
+ timestamp: u64,
+ }
+
+ #[event]
+ struct StakedEvent has drop, store {
+ owner: address,
+ token_id: address,
+ start_time: u64,
+ bet_amount: u64,
+ }
+
+ #[event]
+ struct BattleResultEvent has drop, store {
+ defender: address,
+ challenger: address,
+ winner: address,
+ prize_amount: u64,
+ timestamp: u64,
+ }
+
public(friend) fun mint(
module_owner: &signer,
to: address,
amount: u64
) acquires CredCapabilities {
let caps = borrow_global<CredCapabilities>(signer::address_of(module_owner));
let coins = coin::mint<CRED>(amount, &caps.mint_cap);
+ event::emit(MintEvent { to, amount, timestamp: timestamp::now_seconds() });
+
if (coin::is_account_registered<CRED>(to)) {
coin::deposit(to, coins);
} else {
coin::destroy_zero(coins);
};
}
+
+ // Add similar events for all state-changing operations
+ // streets::stake() -> emit StakedEvent
+ // streets::unstake() -> emit UnstakedEvent with rewards
+ // rap_battle::go_on_stage_or_battle() -> emit BattleResultEvent

This mitigation adds comprehensive event logging that enables off-chain monitoring, historical analysis, and improved transparency for all protocol operations.

Updates

Lead Judging Commences

bube Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.