Company Simulator

First Flight #51

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Missing ReputationChanged event on successful sales

kaloyanstoyanov113

Missing ReputationChanged event on successful sales creates inconsistency in tracking reputation

Description

In Cyfrin_Hub.vy the sell_to_customer function updates the company's reputation in two places:
- When a sale succeeds and reputation < 100, the code increases reputation but currently does not emit ReputationChanged.
- When a sale fails due to insufficient inventory, the function decreases reputation and emits ReputationChanged(new_reputation=...).
This asymmetry means successful reputation changes are not recorded in events, reducing on-chain observability and making it harder for off-chain indexers, UIs, and auditors to track reputation history.

if self.inventory >= requested:

self.inventory -= requested

revenue: uint256 = requested * SALE_PRICE

self.company_balance += revenue

if self.reputation < 100:

# Increase reputation for successful sale

self.reputation = min(self.reputation + REPUTATION_REWARD, 100)

else:

# Maintain reputation if already at max

self.reputation = 100

log Sold(amount=requested, revenue=revenue)

# @> Event should be here

else:

self.reputation = min(max(self.reputation - REPUTATION_PENALTY, 0), 100)

log ReputationChanged(new_reputation=self.reputation)

Risk

Likelihood: High

Occurs under normal, expected circumstances

Impact: Low

Events are the canonical way to track state changes on-chain. Not emitting an event on a successful reputation increase makes the protocol harder to monitor and debug.

Proof of Concept

This is an low impact issue (missing event), so PoC is simply observing transaction traces where a successful sale increases reputation but no ReputationChanged event is emitted. Example steps:

Ensure reputation is below 100 (e.g., set to 98 in test setup).
Call sell_to_customer via the CustomerEngine with requested small enough to succeed.
Observe the transaction receipt: the Sold event should be present, the reputation state variable should have increased, but no ReputationChanged event is emitted.

Recommended Mitigation

Add an event as shown

log Sold(amount=requested, revenue=revenue)

+ log ReputationChanged(new_reputation=self.reputation)

Updates

Lead Judging Commences

0xshaedyw Lead Judge

about 2 months ago

0xshaedyw Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

Low – Missing Event

The contract updates reputation on successful sales but does not emit the ReputationChanged event.

Rewards breakdown

nSLOC

265

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!