Function 'deposit' does not take into account already deposited tokens
Description
Function BriVault::deposit does not take into account already deposited tokens by the user. If a user has already deposited and want to make another deposit to increase the shares, the stakedAsset mapping for the user will rewrite the value by the new deposit amount. If user cancels participation, the refunded amount will be only the new deposit amount. So, the user loses amount of tokens deposited at first time.
Risk
Likelihood:
Medium, since the issue has impact only in case when user makes several deposits and then cancels participation.
Impact:
High, since the user loses tokens
Recommended Mitigation
Increase the stakedAsset mapping value instead of rewriting it:
Appeal created
`stakedAsset` Overwritten on Multiple Deposits
Vault tracks only a single deposit slot per user and overwrites it on every call instead of accumulating the total.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.