BriVault

First Flight #52

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

Users can deposit zero tokens

eze001

Root + Impact

Description

Normally, users should deposit a positive amount of tokens to participate in the tournament, and deposits should update team totals and user shares accordingly.
The contract currently allows deposits of zero tokens, which can create unnecessary entries in userShares or teamAssets and may cause edge-case issues in payout calculations.

// Root cause in the codebase with @> marks to highlight the relevant section

pragma solidity ^0.8.0;

interface IERC20 { function transferFrom(address, address, uint256) external returns (bool); }

contract ZeroDeposit {

IERC20 public asset;

mapping(address => uint256) public userShares;

mapping(uint256 => uint256) public teamAssets;

function deposit(uint256 amount, uint256 teamId) external {

@> asset.transferFrom(msg.sender, address(this), amount);

@> userShares[msg.sender] += amount; // allows zero deposits

@> teamAssets[teamId] += amount;

}

Risk

Likelihood:

Occurs whenever a user calls deposit() with amount = 0, intentionally or by mistake.
Occurs whenever the contract does not validate positive deposit amounts.

Impact:

Impact 1: Zero-value deposits can create unnecessary bookkeeping entries, potentially confusing payout calculations.
Impact 2: May be exploited for trivial griefing or to interact unexpectedly with other contract logic expecting positive amounts.

Proof of Concept

Explanation:

The PoC shows that a user can deposit zero tokens, which updates internal mappings without transferring any tokens. This creates unnecessary entries and may cause unexpected behavior in payout calculations or other logic assuming positive deposits.

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.0;

contract ZeroDepositPoC {

ZeroDeposit public vault;

IERC20 public token;

constructor(ZeroDeposit _vault, IERC20 _token) {

vault = _vault;

token = _token;

}

function depositZero() external {

token.transferFrom(msg.sender, address(vault), 0);

vault.deposit(0, 0); // zero deposit

}

Recommended Mitigation

The issue can be prevented by validating that the deposit amount is greater than zero before updating any internal state. This ensures that only meaningful deposits affect `userShares` and `teamAssets`, maintaining accurate accounting and preventing unnecessary entries that could interfere with payouts or other contract logic.

- function deposit(uint256 amount, uint256 teamId) external {

- asset.transferFrom(msg.sender, address(this), amount);

- userShares[msg.sender] += amount;

- teamAssets[teamId] += amount;

- }

+ function deposit(uint256 amount, uint256 teamId) external {

+ require(amount > 0, "deposit must be greater than zero");

+ asset.transferFrom(msg.sender, address(this), amount);

+ userShares[msg.sender] += amount;

+ teamAssets[teamId] += amount;

+ }

Updates

Appeal created

bube Lead Judge 20 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

193

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!