Token-0x

First Flight #54

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Missing Transfer Events in _mint() and _burn() Breaks ERC20 Compliance

azanux

Root + Impact

Description

According to the ERC-20 standard, a Transfer event MUST be emitted when tokens are created (minted) or destroyed (burned)

// src/helpers/ERC20Internals.sol

function _mint(address account, uint256 value) internal {

assembly ("memory-safe") {

if iszero(account) {

mstore(0x00, shl(224, 0xec442f05))

mstore(add(0x00, 4), 0x00)

revert(0x00, 0x24)

}

let ptr := mload(0x40)

let balanceSlot := _balances.slot

let supplySlot := _totalSupply.slot

let supply := sload(supplySlot)

sstore(supplySlot, add(supply, value))

mstore(ptr, account)

mstore(add(ptr, 0x20), balanceSlot)

let accountBalanceSlot := keccak256(ptr, 0x40)

let accountBalance := sload(accountBalanceSlot)

sstore(accountBalanceSlot, add(accountBalance, value))

@> // Missing: emit Transfer(address(0), account, value)

}

function _burn(address account, uint256 value) internal {

assembly ("memory-safe") {

// ... validation and balance updates ...

sstore(accountBalanceSlot, sub(accountBalance, value))

@> // Missing: emit Transfer(account, address(0), value)

}

Risk

Likelihood:

Every call to _mint() or _burn() triggers this issue - it occurs 100% of the time these functions are used
Any protocol or token that inherits this ERC20 implementation and uses minting/burning functionality will be affected

Impact:

Off-chain services (block explorers, wallets, analytics platforms) will not track minted/burned tokens, leading to incorrect balance displays and supply calculations
DeFi protocols relying on Transfer event indexing will fail to detect token supply changes, potentially breaking integrations
The token becomes non-compliant with ERC-20 standard, which explicitly requires Transfer events for minting and burning operations

Proof of Concept

just call mint or burn function to see the issue , no event generated

Recommended Mitigation

Emit the Transfer event at the end of both _mint() and _burn() functions using the log3 opcode, following the same pattern already implemented in the _transfer() function.

function _mint(address account, uint256 value) internal {

assembly ("memory-safe") {

if iszero(account) {

mstore(0x00, shl(224, 0xec442f05))

mstore(add(0x00, 4), 0x00)

revert(0x00, 0x24)

}

let ptr := mload(0x40)

let balanceSlot := _balances.slot

let supplySlot := _totalSupply.slot

let supply := sload(supplySlot)

sstore(supplySlot, add(supply, value))

mstore(ptr, account)

mstore(add(ptr, 0x20), balanceSlot)

let accountBalanceSlot := keccak256(ptr, 0x40)

let accountBalance := sload(accountBalanceSlot)

sstore(accountBalanceSlot, add(accountBalance, value))

+ // Emit Transfer(address(0), account, value)

+ mstore(ptr, value)

+ log3(ptr, 0x20, 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef, 0, account)

}

function _burn(address account, uint256 value) internal {

assembly ("memory-safe") {

if iszero(account) {

mstore(0x00, shl(224, 0x96c6fd1e))

mstore(add(0x00, 4), 0x00)

revert(0x00, 0x24)

}

let ptr := mload(0x40)

let balanceSlot := _balances.slot

let supplySlot := _totalSupply.slot

let supply := sload(supplySlot)

sstore(supplySlot, sub(supply, value))

mstore(ptr, account)

mstore(add(ptr, 0x20), balanceSlot)

let accountBalanceSlot := keccak256(ptr, 0x40)

let accountBalance := sload(accountBalanceSlot)

sstore(accountBalanceSlot, sub(accountBalance, value))

+ // Emit Transfer(account, address(0), value)

+ mstore(ptr, value)

+ log3(ptr, 0x20, 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef, account, 0)

}

Updates

Lead Judging Commences

gaurangbrdv Lead Judge 19 days ago

Submission Judgement Published

Validated

Assigned finding tags:

missing event

missing event emission

Rewards breakdown

nSLOC

222

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!