stakedAsset Overwritten on Multiple Deposits Leading to Loss of Funds
Title
stakedAsset Overwritten on Multiple Deposits Leading to Loss of Funds
Risk
Likelihood
Users depositing multiple times before the event starts.
Impact
Permanent loss of funds from previous deposits when canceling participation. Inconsistent state between stakedAsset and minted shares.
Reference Files
src/briVault.sol
Description
In normal operation, the deposit function should accumulate the total staked assets for each user to allow full refunds when canceling participation. This ensures that users can retrieve all their deposited funds if they choose to cancel before the event begins.
The issue is that stakedAsset[receiver] is assigned the current stakeAsset instead of adding to it, causing only the last deposit amount to be stored, while shares are correctly accumulated. This leads to a mismatch where the contract tracks more shares than the actual staked assets recorded, resulting in partial refunds and fund loss.
Proof of Concept
The following test demonstrates the vulnerability: a user deposits 5 ether twice, but stakedAsset only records the last 5 ether. When canceling, only 5 ether is refunded, but 10 shares are burned, causing a loss of 5 ether.
Recommended Mitigation
To fix this, change the assignment to accumulation in the deposit function. This ensures stakedAsset correctly sums all deposits for proper refunds.
Shares Minted to msg.sender Instead of Specified Receiver
Appeal created
`stakedAsset` Overwritten on Multiple Deposits
Vault tracks only a single deposit slot per user and overwrites it on every call instead of accumulating the total.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.