The loop scales linearly with the number of participants. With sufficient entries, gas costs may exceed the block limit, making it impossible for the owner to finalize the event and distribute rewards. This leads to a permanent denial of service for all users.

Description

• The function iterates over the entire usersAddress array to calculate totalWinnerShares.
  Since usersAddress grows with every call to joinEvent(), the loop executes once per registered user.
  There is no upper bound or pagination mechanism, meaning that if a large number of users join the event (or spam entries before the event starts), the setWinner() transaction that triggers this loop can exceed the gas limit and revert indefinitely.

  As a result, the contract owner may become unable to finalize the event, leaving user funds locked in the vault.

  function _getWinnerShares () internal returns (uint256) {

  //@> for (uint256 i = 0; i < usersAddress.length; ++i){

  address user = usersAddress[i];

  totalWinnerShares += userSharesToCountry[user][winnerCountryId];

  }

  return totalWinnerShares;

  }

  ​

Risk

Likelihood:

• Attainable under normal use if the event becomes popular or if attackers intentionally flood registrations.

Impact:

• Prevents the setWinner() function (and therefore all subsequent withdraw() calls) from executing, effectively freezing the entire vault permanently.

Proof of Concept

Paste the following test to briVault.t.sol:

Recommended Mitigation

Use an iterative or claim-based model instead of a full on-chain aggregation:

• Maintain running totals incrementally during joinEvent() rather than recomputing in a loop.