BriVault

First Flight #52

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

No restrictions on multiple deposits in a single team

eze001

Root + Impact

Description

Normally, users should be able to deposit tokens to participate in a team, but each deposit should correctly update the user’s shares without creating inconsistencies.
The contract does not prevent multiple deposits to the same team, which can lead to duplicate entries, inconsistent accounting, or unintended inflation of user shares for a single team.// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

Occurs whenever a user deposits multiple times to the same team, as there is no mechanism to prevent repeated deposits.
Occurs whenever the contract does not track per-deposit limits or update rules, allowing duplicate accumulation.

Impact:

Impact 1: Users may unintentionally inflate their share of the pool, which could affect payouts or create accounting inconsistencies.
Impact 2: Malicious actors could exploit repeated deposits to gain an unfair advantage over other participants.

Proof of Concept

The PoC shows that a user can deposit multiple times to the same team, inflating their shares and the team’s total. This can lead to unfair advantages and accounting inconsistencies in the vault.

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.0;

contract MultipleDepositPoC {

MultipleDeposits public vault;

IERC20 public token;

constructor(MultipleDeposits _vault, IERC20 _token) {

vault = _vault;

token = _token;

}

function depositTwice(uint256 amt, uint256 teamId) external {

token.transferFrom(msg.sender, address(vault), amt);

vault.deposit(amt, teamId);

// second deposit

token.transferFrom(msg.sender, address(vault), amt);

vault.deposit(amt, teamId);

}

Recommended Mitigation

Prevent users from depositing multiple times to the same team by checking userTeam[msg.sender] before accepting a deposit. This ensures accounting consistency and fair share allocation.

- function deposit(uint256 amount, uint256 teamId) external {

- asset.transferFrom(msg.sender, address(this), amount);

- userShares[msg.sender] += amount;

- userTeam[msg.sender] = teamId;

- teamAssets[teamId] += amount;

- }

+ function deposit(uint256 amount, uint256 teamId) external {

+ require(userTeam[msg.sender] != teamId, "already deposited to this team");

+ asset.transferFrom(msg.sender, address(this), amount);

+ userShares[msg.sender] += amount;

+ userTeam[msg.sender] = teamId;

+ teamAssets[teamId] += amount;

+ }

Updates

Appeal created

bube Lead Judge 21 days ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Rewards breakdown

nSLOC

193

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!