Santa's List

AI First Flight #3

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

collectPresent and buyPresent emit no present-collected event, reducing on-chain transparency of distributions

sub99

Present distribution emits no event, reducing on-chain transparency of who received presents

Description

Neither collectPresent nor buyPresent emits an event when an NFT (and optional SantaToken) is distributed, so there is no purpose-built log signaling that a present was handed out beyond the raw ERC721 Transfer.

// SantasList.sol:147

function collectPresent() external {

...

_mintAndIncrement(); // @> no PresentCollected event emitted

return;

// SantasList.sol:172

function buyPresent(address presentReceiver) external {

i_santaToken.burn(presentReceiver);

_mintAndIncrement(); // @> no event emitted

}

Risk

Likelihood: Low

Consumers can fall back to ERC721 Transfer logs, so the gap is one of convenience and semantic clarity rather than missing data entirely. It applies to every distribution.

Impact: Low

Off-chain systems cannot easily distinguish a "present collected/bought" action from any other token transfer, and cannot tie the event to the buy-versus-collect path, reducing auditability and indexability of distributions. No funds are at risk.

Proof of Concept

Collecting a present produces no contract-specific distribution event.

function test_noPresentEventEmitted() public {

vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME());

vm.recordLogs();

vm.prank(nice);

santasList.collectPresent();

// only ERC721 Transfer appears; no PresentCollected event exists

}

Recommended Mitigation

Emit a dedicated event on each distribution path.

+ event PresentCollected(address indexed receiver, uint256 indexed tokenId);

...

- _mintAndIncrement();

+ uint256 tokenId = s_tokenCounter;

+ _mintAndIncrement();

+ emit PresentCollected(msg.sender, tokenId);

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!