BriVault
First Flight #52
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Post-Join Deposits Desynchronize Winner Shares

yxsec

Description

  • After joining, additional deposits must update the recorded winning shares.

  • userSharesToCountry is written only once during joinEvent. Subsequent deposits increase balanceOf but not the stored share count, so withdrawals use a larger numerator than denominator.

// src/briVault.sol:260-261
uint256 participantShares = balanceOf(msg.sender);
@>userSharesToCountry[msg.sender][countryId] = participantShares; // never refreshed

Risk

Likelihood:

  • Participants routinely add stake after joining; every such action desynchronizes accounting.

  • No front-end or contract limitation exists.

Impact:

  • Withdrawal attempts demand more assets than the vault holds, causing transfers to revert and freezing everyone’s funds.

  • Entire tournament prize pool becomes unclaimable once any user tops up post-join.

Proof of Concept

user.deposit(100 ether);
user.joinEvent(1);
user.deposit(100 ether); // double the shares, winner record unchanged
owner.setWinner(1);
user.withdraw(); // Math.mulDiv uses stale denominator, transfer reverts

Recommended Mitigation

function deposit(...) public override returns (uint256) {
...
_mint(receiver, participantShares);
+ if (hasJoinedEvent[receiver]) {
+ uint256 team = countryIndexOf[receiver];
+ userSharesToCountry[receiver][team] = balanceOf(receiver);
+ }
}
Updates

Appeal created

bube Lead Judge 19 days ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
bube Lead Judge 15 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Deposits after joining the event are not correctly accounted

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!