BriVault
First Flight #52
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: high
Invalid

Non-Compliant Deposit and Withdraw Events with Fee Structure

rbd3

Root + Impact

Description

The BriVault contract implements custom fee behavior during deposits but fails to comply with ERC4626 documentation requirements for event emissions. According to OpenZeppelin ERC4626 documentation, vaults with fees should ensure events properly account for the fee structure.

https://docs.openzeppelin.com/contracts/4.x/erc4626#custom-behavior-adding-fees-to-the-vault

function deposit(uint256 assets, address receiver) public override returns (uint256) {
// ... fee calculation and transfers ...
uint256 stakeAsset = assets - fee; // Net amount after fee
uint256 participantShares = _convertToShares(stakeAsset);
@> emit deposited(receiver, stakeAsset); //@audit Emits net assets, not total paid
return participantShares;
}
function withdraw() external winnerSet {
uint256 shares = balanceOf(msg.sender);
uint256 assetToWithdraw = Math.mulDiv(shares, vaultAsset, totalWinnerShares);
_burn(msg.sender, shares);
IERC20(asset()).safeTransfer(msg.sender, assetToWithdraw);
@> emit Withdraw(msg.sender, assetToWithdraw); //@audit Missing shares burned
}

Risk

Likelihood:

Impact:

  • Uses custom deposited event instead of standard ERC4626 Deposit event

    Should emit (owner, receiver, owner, assets, shares) but only emits (user, assets)

Proof of Concept

Recommended Mitigation

Update deposit event to emit total assets paid (including fees)

Update withdraw event to include both assets received and shares burned

- remove this code
+ add this code
Updates

Appeal created

bube Lead Judge 19 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!