Unrestricted ERC‑4626 redeem/withdraw Allows Non‑winners to Exit and Drain Pool
Critical Finding (F-001)
Title: Unrestricted ERC‑4626 redeem/withdraw Allows Non‑winners to Exit and Drain Pool
Impact: Losers can call standard ERC‑4626 withdrawal functions to retrieve assets after deposit but before winner settlement, preventing correct distribution to winners and breaking the wagering logic.
Evidence: ERC‑4626 exposes public redeem/withdraw which calculate assets = shares * totalAssets() / totalSupply(). Without restrictions, registered participants can redeem their shares.
Recommendation (formal mitigation):
Explicitly override public ERC‑4626 withdrawal entry points (redeem, withdraw) to block withdrawals for registered participants while the event has started.
Allow standard withdrawals only when the user is not registered or the event has not started.
Ensure the vault’s custom withdraw() (winner-only) and cancelParticipation() (pre-start) remain the only permitted exit paths for registered users.
Suggested override (illustrative):
Notes: Add unit tests for the locked state and for non-registered users to ensure expected ERC‑4626 behavior outside the event lifecycle.
Appeal created
Unrestricted ERC4626 functions
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.