Root + Impact

Description

• According to the ERC20 standard, when tokens are minted, the contract must emit a Transfer event from address(0) to the recipient account. The _mint function at lines 134-156 should emit Transfer(address(0), account, value) after updating the balance and total supply, similar to how the _transfer function emits Transfer(from, to, value) events. This event emission is required for ERC20 compliance and enables off-chain systems to track token mints.

• The _mint function updates the account balance and total supply but does not emit the required Transfer event. The function performs all state changes correctly but omits the event emission at the end of the assembly block. This breaks ERC20 standard compliance and prevents off-chain systems from detecting mint operations, causing integration failures with wallets, explorers, and protocols that rely on Transfer events to track token creation.

Risk

Likelihood:

• High - The vulnerability occurs whenever the _mint function is called, which happens during every token minting operation. Since minting is a core functionality of ERC20 tokens and is typically called frequently during token distribution, airdrops, or reward mechanisms, this issue affects all mint operations.

• High - The missing event emission happens consistently during mint operations because the function lacks the event emission code entirely. Any contract or protocol that mints tokens using this implementation will fail to emit the required Transfer event, breaking compatibility with standard ERC20 tooling and infrastructure.

Impact:

• High - ERC20 standard non-compliance: The contract fails to meet the ERC20 standard requirement for emitting Transfer events during minting. This breaks compatibility with standard ERC20 interfaces and can cause integration failures with wallets, DEX aggregators, and other DeFi protocols that expect Transfer events for all token operations, including mints.

• Medium - Off-chain tracking and indexing failures: Wallets, block explorers, and indexing services rely on Transfer events to track token balances and transaction history. Without the Transfer event, these systems cannot detect mint operations, leading to incorrect balance displays, missing transaction history, and broken analytics for token holders and protocols.

Proof of Concept

Explanation of the POC

The proof of concept demonstrates that when tokens are minted, no Transfer event is emitted. The test test_mintEventNotEmitted() records all events during a mint operation and verifies that no events are logged, proving the missing Transfer event. The test test_mintMissingTransferEvent() expects a Transfer(address(0), account, 100e18) event but fails because the function doesn't emit it.

Running the POC: Execute forge test --match-contract MintEventPOC -vvv. The tests will demonstrate that minting tokens does not emit the required Transfer event, breaking ERC20 compliance. The test test_mintEventNotEmitted() passes, confirming no events are emitted during minting.

Explanation of the Mitigation

The fix adds the missing Transfer event emission after updating the balance and total supply. The event is emitted using Yul's log3 opcode with the Transfer event signature hash (0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef), with address(0) as the from parameter and the account as the to parameter. This ensures ERC20 standard compliance and enables off-chain systems to properly track mint operations. After applying the mitigation, the POC tests should pass, confirming that Transfer events are now emitted during minting.

Recommended Mitigation