BriVault
First Flight #52
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unrestricted ERC4626 exits let anyone bypass game logic and withdraw assets at any time

raminidalf

Root + Impact

Description

  • Normal behavior: Assets should be withdrawable only via the custom withdraw() after the event ends, and only by winners.

  • Issue: The contract inherits ERC4626 but does not override/disable its standard withdraw/redeem, allowing any share holder to exit at any time, ignoring the game rules.

// @> contract BriVault is ERC4626, Ownable { ... }
// No overrides to block ERC4626 exits:
// function withdraw(uint256, address, address) public virtual returns (uint256);
// function redeem(uint256, address, address) public virtual returns (uint256);

Risk

Likelihood:

  • As soon as any shares exist, users will call the built-in ERC4626.withdraw/redeem directly during the event.

  • Wallets/tooling that understand ERC4626 expose these functions by default.

Impact:

  • Game economics collapse: losers (or anyone) can withdraw before/after end.

  • Vault can be drained outside the intended flow.

Proof of Concept

// Attacker already holds shares:
vault.withdraw(1e18, attacker, attacker);
// or
vault.redeem(vault.balanceOf(attacker), attacker, attacker);

Recommended Mitigation

- remove this code
+ add this code
Updates

Appeal created

bube Lead Judge 19 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Unrestricted ERC4626 functions

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!