BriVault

First Flight #52

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

Non-Compliance with ERC-4626 Event Standards

0xvrka

Root + Impact

Description

An ERC-4626 compliant vault must emit the standard Deposit and Withdraw events with their specified parameters. This is need for all external integrations, such as front-ends, analytics dashboards, and other DeFi protocols, to track the vault's activity.
The contract inherits ERC4626 but its custom deposit and withdraw functions do not emit the standard events. Instead, they emit custom, non-compliant events (deposited and a different Withdraw). This breaks the contract's compatibility and defeats the purpose of being ERC-4626 compliant.

event deposited (address indexed _depositor, uint256 _value);

event Withdraw (address user, uint256 _amount);

// ...

function deposit(uint256 assets, address receiver) public override returns (uint256) {

// ... (logic) ...

_mint(msg.sender, participantShares);

@> emit deposited (receiver, stakeAsset); // Does not match ERC-4626 standard

return participantShares;

}

// ...

function withdraw() external winnerSet {

// ... (logic) ...

_burn(msg.sender, shares);

IERC20(asset()).safeTransfer(msg.sender, assetToWithdraw);

@> emit Withdraw(msg.sender, assetToWithdraw); // Does not match ERC-4626 standard

}

Risk

Likelihood:

This is not an exploitable vulnerability but a direct failure of implementation. The contract never emits the correct events.

Impact:

The vault will be invisible to all ERC-4626 tooling. Indexers (like The Graph), aggregators (like Zapper), and front-ends will be unable to see any deposits or withdrawals, making the vault unusable within the wider DeFi ecosystem.

Proof of Concept

The contract's custom events do not match the required ERC-4626 standard.

Recommended Mitigation

The deposit and withdraw functions must be updated to emit the standard ERC-4626 events with the correct parameters.

- event deposited (address indexed _depositor, uint256 _value);

- event Withdraw (address user, uint256 _amount);

+ event Deposit(address indexed sender, address indexed owner, uint256 assets, uint256 shares);

+ event Withdraw(address indexed sender, address indexed receiver, address indexed owner, uint256 assets, uint256 shares);

function deposit(uint256 assets, address receiver) public override returns (uint256) {

// ... (all other logic) ...

// This assumes receiver (not msg.sender) should get shares per ERC-4626

_mint(receiver, participantShares);

- emit deposited (receiver, stakeAsset);

+ // Emit the *standard* event

+ emit Deposit(msg.sender, receiver, stakeAsset, participantShares);

return participantShares;

}

function withdraw() external winnerSet {

// ... (all other logic) ...

_burn(msg.sender, shares);

IERC20(asset()).safeTransfer(msg.sender, assetToWithdraw);

- emit Withdraw(msg.sender, assetToWithdraw);

+ // Emit the *standard* event

+ emit Withdraw(msg.sender, msg.sender, msg.sender, assetToWithdraw, shares);

}

Updates

Appeal created

bube Lead Judge 19 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

193

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!