Submission Details
Impact:
Likelihood:
Missing Constructor Validation
Description
-
Deployment should ensure start time is in the future, end after start, fee address non-zero, and minimum amount positive.
-
Constructor merely assigns parameters without validation.
// src/briVault.sol:81-92
constructor (...) {
@> eventStartDate = _eventStartDate; // no validation
@> eventEndDate = _eventEndDate;
@> participationFeeAddress = _participationFeeAddress;
}
Risk
Likelihood:
-
Parameter mistakes during deployment are common; there is no safety net.
-
Any bad input immediately puts the contract into an unusable state.
Impact:
-
End dates before start enable premature
setWinneror block deposits forever. -
Zero fee address burns participation fees irretrievably.
Proof of Concept
new BriVault(asset, 150, 1700, feeAddr, 0, 1600);
// Winner can be set before deposits close; funds locked afterward.
Recommended Mitigation
constructor (...) {
+ require(_eventStartDate > block.timestamp, "start must be future");
+ require(_eventEndDate > _eventStartDate, "end after start");
+ require(_participationFeeAddress != address(0), "fee addr");
+ require(_minimumAmount > 0, "min > 0");
...
}
Updates
Appeal created
bube 20 days ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
Missing Constructor Validation
This is owner action and the owner is assumed to be trusted and to provide correct input arguments.
Rewards breakdown
nSLOC
193This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.