BriVault
First Flight #52
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`joinEvent` Allows Unlimited Re-Entries

yxsec

Description

  • Intended behavior is one team selection per user, with a single share snapshot.

  • joinEvent has no guard against repeated calls, so the same address is pushed into usersAddress multiple times and counted repeatedly by _getWinnerShares.

// src/briVault.sol:242-269
function joinEvent(uint256 countryId) public {
...
@> usersAddress.push(msg.sender); // no duplicate guard
...
}

Risk

Likelihood:

  • During the pre-event window, any participant can spam joinEvent for mainly gas cost.

  • Wallets resubmitting the same txn after a pending timeout will also trigger duplicates.

Impact:

  • totalWinnerShares inflates, shrinking legitimate payouts; leftover funds become permanently stuck.

  • Attackers can grief the vault with thousands of entries from a 1-wei deposit.

Proof of Concept

for (uint i; i < 1000; i++) {
vault.joinEvent(countryId); // Repeatedly counts the same shares
}
owner.setWinner(countryId);
// totalWinnerShares includes user shares 1000 times

Recommended Mitigation

+ mapping(address => bool) public hasJoinedEvent;
function joinEvent(uint256 countryId) public {
+ require(!hasJoinedEvent[msg.sender], "already joined");
...
usersAddress.push(msg.sender);
+ hasJoinedEvent[msg.sender] = true;
}
Updates

Appeal created

bube Lead Judge 16 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Duplicate registration through `joinEvent`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!