Description
Normal behavior:
During deployment, constructor should validate all configuration parameters (event dates, fee, token address, etc.) to ensure the vault operates correctly and does not become permanently unusable.
Issue
The constructor does not validate critical arguments, allowing deployment with invalid or nonsensical parameters.
constructor(
IERC20 _asset,
uint256 _participationFeeBsp,
uint256 _eventStartDate,
address _participationFeeAddress,
uint256 _minimumAmount,
uint256 _eventEndDate
) ERC4626(_asset) ERC20("BriTechLabs", "BTT") Ownable(msg.sender) {
if (_participationFeeBsp > PARTICIPATIONFEEBSPMAX) {
revert limiteExceede();
}
@> eventStartDate = _eventStartDate;
@> eventEndDate = _eventEndDate;
@> participationFeeAddress = _participationFeeAddress;
@> minimumAmount = _minimumAmount;
@> _setWinner = false;
}
Risk
Likelihood:
-
The constructor can be called with arbitrary arguments at deployment time without restriction.
-
No validation exists to prevent a zero address, inverted timestamps, or invalid fee configuration.
-
This error will always occur when a developer mistakenly sets wrong initialization values.
Impact:
-
Contract can become permanently blocked, deposits or winner setting might revert due to invalid date logic.
-
Participation fees may be sent to address(0).
Proof of Concept
This PoC demonstrates that the contract deploys successfully even with invalid parameters, which later cause functional failure.
function setUp() public {
participationFeeBsp = 0;
eventStartDate = 1800;
eventEndDate = 180;
participationFeeAddress = address(0);
minimumAmount = 0;
mockToken = MockERC20(address(0));
vm.startPrank(owner);
briVault = new BriVault(
IERC20(address(0)),
participationFeeBsp,
eventStartDate,
participationFeeAddress,
minimumAmount,
eventEndDate
);
vm.stopPrank();
}
function testConstructor() public {
assertEq(
briVault.participationFeeBsp(),
participationFeeBsp,
"Participation fee BSP mismatch"
);
assertEq(
briVault.eventStartDate(),
eventStartDate,
"Event start date mismatch"
);
assertEq(
briVault.minimumAmount(),
minimumAmount,
"Minimum amount mismatch"
);
assertEq(
address(briVault.asset()),
address(mockToken),
"Asset address mismatch"
);
assertEq(
briVault.eventEndDate(),
eventEndDate,
"Event end date mismatch"
);
}
Recommended Mitigation
The safest approach is to enforce strict validation for all constructor arguments, preventing any invalid deployment configuration. This ensures that only logically sound values are accepted, keeping the contract usable after deployment.
- constructor(
- IERC20 _asset,
- uint256 _participationFeeBsp,
- uint256 _eventStartDate,
- address _participationFeeAddress,
- uint256 _minimumAmount,
- uint256 _eventEndDate
- ) ERC4626(_asset) ERC20("BriTechLabs", "BTT") Ownable(msg.sender) {
- if (_participationFeeBsp > PARTICIPATIONFEEBSPMAX) {
- revert limiteExceede();
- }
- participationFeeBsp = _participationFeeBsp;
- eventStartDate = _eventStartDate;
- eventEndDate = _eventEndDate;
- participationFeeAddress = _participationFeeAddress;
- minimumAmount = _minimumAmount;
- _setWinner = false;
- }
+ constructor(
+ IERC20 _asset,
+ uint256 _participationFeeBsp,
+ uint256 _eventStartDate,
+ address _participationFeeAddress,
+ uint256 _minimumAmount,
+ uint256 _eventEndDate
+ ) ERC4626(_asset) ERC20("BriTechLabs", "BTT") Ownable() {
+ require(address(_asset) != address(0), "Invalid asset");
+ require(_participationFeeAddress != address(0), "Invalid fee address");
+ require(_participationFeeBsp <= PARTICIPATIONFEEBSPMAX, "Fee too high");
+ require(_eventStartDate < _eventEndDate, "Start must be before end");
+ require(_minimumAmount > 0, "Minimum amount must be > 0");
+ participationFeeBsp = _participationFeeBsp;
+ eventStartDate = _eventStartDate;
+ eventEndDate = _eventEndDate;
+ participationFeeAddress = _participationFeeAddress;
+ minimumAmount = _minimumAmount;
+ _setWinner = false;
+ }
