Company Simulator
First Flight #51
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Broken Deposit Logic Prevents Any Assets From Entering the System

wittyapple797

Impact

  • Users cannot deposit or fund accounts

  • Platform economy cannot initialize or generate revenue

  • System remains permanently unfunded and unusable


Likelihood

  • Always triggered because the platform provides no valid deposit mechanism

  • Any attempt to use deposit functionality fails every time

  • All users are affected on every interaction

Description

Normal behavior:
Users must be able to deposit assets into the CustomerEngine, enabling CyfrinHub to track balances and power its economy.


Issue:

There is no externally callable deposit entry point. Contract balances remain zero and the system state never updates. Deposits silently fail with no event logs or accounting changes.


Risk

Likelihood:

  • Any attempt to deposit ETH results in no value entering the contract

  • All operations relying on funded balances fail

Impact:

  • 100 percent loss of platform utility

  • No business logic or user flows can execute


Description (Root + Impact)

Normal behavior:
Users should be able to deposit ETH into CustomerEngine and have the funds recognized and recorded by CyfrinHub.

Specific issue:
There is no externally callable deposit function. Direct ETH transfers revert or fail silently. Balances inside CustomerEngine and CyfrinHub never update, so the platform can never receive funds.

Root Cause:
@> Missing or nonfunctional deposit entrypoint in CustomerEngine
@> Hub does not expose an accounting handler for forwarded value

Impact:
• Contract balance stays 0 permanently
• No user interaction requiring funds can succeed
• Full economic functionality of the platform is disabled

Proof of Concept

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.19;
import "forge-std/Script.sol";
import "forge-std/console.sol";
contract PoC is Script {
address public constant HUB_ADDR = 0xC6Acb7D16D51f72eAA659668F30A40d87E2E0551;
address public constant ENGINE_ADDR = 0x3d06E92f20305D9a2D71a1D479E9EE22690Ae7E4;
function run() external {
vm.startBroadcast();
uint256 beforeEngine = ENGINE_ADDR.balance;
console.log("Engine before:", beforeEngine);
// Simulate a user deposit
(bool ok,) = payable(ENGINE_ADDR).call{value: 1 ether}("");
console.log("Deposit success:", ok);
uint256 afterEngine = ENGINE_ADDR.balance;
console.log("Engine after:", afterEngine);
if (afterEngine == beforeEngine) {
console.log("PoC: No deposit recorded. System broken.");
}
vm.stopBroadcast();
}
}

Execution output:
• Deposit Succes: false
• Contract balances unchanged ⇒ zero funds can enter the system


Recommended Mitigation

+ // Add public, payable deposit entrypoint
+ function deposit() external payable {
+ require(msg.value > 0, "No value sent");
+ balances[msg.sender] += msg.value;
+ emit Deposited(msg.sender, msg.value);
+ (bool ok,) = payable(hub).call{value: msg.value}("");
+ require(ok, "Forward to hub failed");
+ }
+ event Deposited(address indexed user, uint256 amount);
+ // Ensure Hub accepts and accounts deposits
+ function recordDeposit(address from, uint256 amount) external payable {
+ require(msg.value == amount, "Mismatched amount");
+ treasuryBalance += amount;
+ emit HubDeposited(from, amount);
+ }
+ event HubDeposited(address indexed from, uint256 amount);
Updates

Lead Judging Commences

0xshaedyw Lead Judge
10 days ago
0xshaedyw Lead Judge 8 days ago
Submission Judgement Published
Invalidated
Reason: Design choice

Appeal created

wittyapple797 Submitter
8 days ago
0xshaedyw Lead Judge
6 days ago
0xshaedyw Lead Judge 6 days ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.