Company Simulator

First Flight #51

Beginner FriendlyDeFi

100 EXP

View all submissions

Previous Next

Submission Details

Impact: medium

Likelihood: high

ReputationChanged event is not emitted when the Reputation changed on a successful sell to the customer.

Author Revealed upon completion

Root: Missing `ReputationChanged` log when reputation increases after a successful sale.
Impact: Off-chain systems or analytics can’t track positive reputation changes, leading to inconsistent or misleading company state.

Description

When a sale is successful, the company’s reputation should increase (if below 100) and this change should be transparently recorded through an event, allowing off-chain systems to track performance accurately.
Currently, the contract updates the reputation value after a successful sale but does not emit the ReputationChanged event, causing off-chain analytics and monitoring tools to miss these positive reputation updates.

Root Cause:

In the `sell_to_customer` function, the reputation is updated after a successful sale,

but the event is never logged. The relevant section is:

Cyfrin_Hub.vy:

if self.inventory >= requested:

self.inventory -= requested

revenue: uint256 = requested * SALE_PRICE

self.company_balance += revenue

if self.reputation < 100:

self.reputation = min(self.reputation + REPUTATION_REWARD, 100)

else:

self.reputation = 100

log Sold(amount=requested, revenue=revenue) @> ReputationChanged not logged here

Risk

Likelihood:

Occurs every time a successful sale increases the company’s reputation.
Happens consistently for all users whose purchases trigger reputation growth.

Impact:

Off-chain systems, dashboards, or analytics will not receive accurate reputation updates.
Misleads stakeholders or automated decision systems that rely on event logs for company reputation.

Proof of Concept

1. Deploy CompanyGame and CustomerEngine contracts.

2. Trigger a sale where the company inventory is sufficient and reputation is below 100.

3. Observe that Sold event is emitted but ReputationChanged event is missing.

4. Check off-chain logs or event listeners — reputation increase is not captured.

Recommended Mitigation

Ensure that any change to reputation, whether increase or decrease, is always logged using the ReputationChanged event.
Modify the sell_to_customer function to emit the event after a successful sale when reputation increases.

Cyfrin_Hub.vy line 163

- # current code (reputation updated but not logged)

- if self.reputation < 100:

- self.reputation = min(self.reputation + REPUTATION_REWARD, 100)

- else:

- self.reputation = 100

+ # updated code with event logging

+ old_rep: uint256 = self.reputation

+ if old_rep < 100:

+ self.reputation = min(old_rep + REPUTATION_REWARD, 100)

+ else:

+ self.reputation = 100

+ if self.reputation != old_rep:

+ log ReputationChanged(new_reputation=self.reputation)

Rewards breakdown

nSLOC

265

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.