BriVault
First Flight #52
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Shares Minted to msg.sender Instead of Specified Receiver

stevenalenga

Risk

Likelihood

Attempts to deposit on behalf of another address.

Impact

Shares credited to wrong address, preventing intended receiver from participating or withdrawing. Violation of ERC4626 interface expectations.

Reference Files

src/briVault.sol

Description

  • Normally, the deposit function should mint shares to the specified receiver address as per ERC4626 standard, allowing deposits on behalf of others and maintaining proper ownership.

  • The problem is that shares are minted to msg.sender instead of the receiver parameter, violating the standard and miscrediting shares. This breaks the intended functionality of the ERC4626 deposit function.

_mint(msg.sender, participantShares); // @> Should mint to receiver

Proof of Concept

This test shows that depositing for user2 actually mints shares to user1, the depositor, instead of user2.

function testDepositForReceiver() public {
vm.startPrank(user1);
mockToken.approve(address(briVault), 5 ether);
briVault.deposit(5 ether, user2); // Intends to deposit for user2, but mints to user1
vm.stopPrank();
assertEq(briVault.balanceOf(user1), 5 ether); // Shares incorrectly go to user1
assertEq(briVault.balanceOf(user2), 0); // user2 has no shares
}

Recommended Mitigation

Correct the minting to use the receiver parameter as per ERC4626.

- _mint(msg.sender, participantShares);
+ _mint(receiver, participantShares);
Updates

Appeal created

bryanconquer Lead Judge 16 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Shares Minted to msg.sender Instead of Specified Receiver

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!