Company Simulator
First Flight #51
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

ReputationChanged event is not emitted when the Reputation changed on a successful sell to the customer.

shalu2500

Root: Missing ReputationChanged log when reputation increases after a successful sale.
Impact: Off-chain systems or analytics can’t track positive reputation changes, leading to inconsistent or misleading company state.

Description

  • When a sale is successful, the company’s reputation should increase (if below 100) and this change should be transparently recorded through an event, allowing off-chain systems to track performance accurately.

  • Currently, the contract updates the reputation value after a successful sale but does not emit the ReputationChanged event, causing off-chain analytics and monitoring tools to miss these positive reputation updates.

Root Cause:
In the `sell_to_customer` function, the reputation is updated after a successful sale,
but the event is never logged. The relevant section is:
Cyfrin_Hub.vy:
if self.inventory >= requested:
self.inventory -= requested
revenue: uint256 = requested * SALE_PRICE
self.company_balance += revenue
if self.reputation < 100:
self.reputation = min(self.reputation + REPUTATION_REWARD, 100)
else:
self.reputation = 100
log Sold(amount=requested, revenue=revenue) @> ReputationChanged not logged here

Risk

Likelihood:

  • Occurs every time a successful sale increases the company’s reputation.

  • Happens consistently for all users whose purchases trigger reputation growth.

Impact:

  • Off-chain systems, dashboards, or analytics will not receive accurate reputation updates.

  • Misleads stakeholders or automated decision systems that rely on event logs for company reputation.

Proof of Concept

1. Deploy CompanyGame and CustomerEngine contracts.
2. Trigger a sale where the company inventory is sufficient and reputation is below 100.
3. Observe that Sold event is emitted but ReputationChanged event is missing.
4. Check off-chain logs or event listenersreputation increase is not captured.

Recommended Mitigation

  • Ensure that any change to reputation, whether increase or decrease, is always logged using the ReputationChanged event.

  • Modify the sell_to_customer function to emit the event after a successful sale when reputation increases.

Cyfrin_Hub.vy line 163
- # current code (reputation updated but not logged)
- if self.reputation < 100:
- self.reputation = min(self.reputation + REPUTATION_REWARD, 100)
- else:
- self.reputation = 100
+ # updated code with event logging
+ old_rep: uint256 = self.reputation
+ if old_rep < 100:
+ self.reputation = min(old_rep + REPUTATION_REWARD, 100)
+ else:
+ self.reputation = 100
+ if self.reputation != old_rep:
+ log ReputationChanged(new_reputation=self.reputation)
Updates

Lead Judging Commences

0xshaedyw Lead Judge
about 1 month ago
0xshaedyw Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

Low – Missing Event

The contract updates reputation on successful sales but does not emit the ReputationChanged event.

Appeal created

shalu2500 Submitter
about 1 month ago
0xshaedyw Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

Low – Missing Event

The contract updates reputation on successful sales but does not emit the ReputationChanged event.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!