BriVault
First Flight #52
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`stakedAsset` Overwritten on Multiple Deposits

yxsec

Description

  • Users should be able to top up positions while keeping full principal refundable.

  • Each deposit assigns stakedAsset[receiver] = stakeAsset, overwriting previous value; cancelParticipation refunds only that last amount.

// src/briVault.sol:220-233
uint256 stakeAsset = assets - fee;
@>stakedAsset[receiver] = stakeAsset;
...
IERC20(asset()).safeTransfer(msg.sender, stakeAsset);

Risk

Likelihood:

  • Additional deposits are common as odds change; the bug triggers 100% of the time on second deposits.

  • No warning or restriction exists.

Impact:

  • Cancelling refunds only the latest deposit, permanently trapping earlier principal.

  • Share accounting vs refundable assets diverges, complicating state.

Proof of Concept

user.deposit(100 ether);
user.deposit(100 ether);
user.cancelParticipation(); // gets back only 100 ether, losing the first 100 ether

Recommended Mitigation

- stakedAsset[receiver] = stakeAsset;
+ stakedAsset[receiver] += stakeAsset;
Updates

Appeal created

bryanconquer Lead Judge 18 days ago
Submission Judgement Published
Validated
Assigned finding tags:

`stakedAsset` Overwritten on Multiple Deposits

Vault tracks only a single deposit slot per user and overwrites it on every call instead of accumulating the total.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!