search

hats-finance / Most--Aleph-Zero-Bridge-0xab7c1d45ae21e7133574746b2985c58e0ae2e61d

Aleph Zero bridge to Ethereum
Apache License 2.0
0 stars 1 forks source link

Missing event emission during contract upgrade in `most/lib.rs::set_code`. #42

Open hats-bug-reporter[bot] opened 5 months ago

hats-bug-reporter[bot] commented 5 months ago

Github username: @erictee2802 Twitter username: 0xEricTee Submission hash (on-chain): 0x354ce942b97ca9a46ff2b79a61f4bb1272e59cc6137a3d61fc3f12f565067b0a Severity: minor

Description: Description\ Missing event emission during contract upgrade in most/lib.rs::set_code.

Attack Scenario\

The function most/lib.rs::set_code allow owners to upgrade the code implementation. However, this function is missing event emission when the old implementation is upgraded to new one.

Attachments

NA

  1. Proof of Concept (PoC) File

In most/lib.rs::set_code:

 /// Upgrades contract code
        #[ink(message)]
        pub fn set_code(&mut self, code_hash: [u8; 32]) -> Result<(), MostError> {
            self.ensure_owner()?;
            set_code_hash(&code_hash)?;
            Ok(())
        }

Noticed the function doesn't emit any event after the call.

  1. Revised Code File (Optional)

Consider making the following changes:

add the event in most/lib.rs:

 #[ink(event)]
    #[derive(Debug)]
    #[cfg_attr(feature = "std", derive(Eq, PartialEq))]
    pub struct ContractUpgraded {
        pub new_code_hash: [u8; 32],
    }

emit the event in most/lib.rs::set_code function:

/// Upgrades contract code
        #[ink(message)]
        pub fn set_code(&mut self, code_hash: [u8; 32]) -> Result<(), MostError> {
            self.ensure_owner()?;
            set_code_hash(&code_hash)?;
++          self.env().emit_event(ContractUpgraded {
++              new_code_hash: code_hash,
++          });
            Ok(())
        }
krzysztofziobro commented 4 months ago

Out of scope (design choice)