world: make world events only emitable by world #1092
Conversation
| @@ -455,6 +467,7 @@ mod world { | |||
| /// * `keys` - The keys of the event. | |||
| /// * `values` - The data to be logged by the event. | |||
| fn emit(self: @ContractState, mut keys: Array<felt252>, values: Span<felt252>) { | |||
| assert(keys.len() > 0 && !self.reserved_events.read(*keys.at(0)), 'reserved event name'); | |||
There was a problem hiding this comment.
i would prefer not to add this additional overhead to every emit.
instead, consumers should properly validate events and ensure that the caller address isn't added (see below) for world events
There was a problem hiding this comment.
so the change here should really be in torii server, where we must verify the event data length is what we expect
There was a problem hiding this comment.
i would prefer not to add this additional overhead to every emit.
instead, consumers should properly validate events and ensure that the caller address isn't added (see below) for world events
still possible to emit fake event for any event where last field is ContractAddress type or even Span / bool
There was a problem hiding this comment.
i don't think so, since the event data will be incorrectly serialized
There was a problem hiding this comment.
yes indeed mb, caller_address is added to keys not values
No description provided.