BriVault

First Flight #52

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: high

Invalid

Participation Fee Address Is Private with No Getter: Transparency & Usability Risk

wyd_derick

Root + Impact

Description

The vault contract defines a private participationFeeAddress to collect fees from deposits.
However, there's no public getter or event visibility for it, making it impossible for users, auditors, or frontends to verify who receives participation fees.

contract BriVault is ERC4626, Ownable {

uint256 public participationFeeBsp;

@> address private participationFeeAddress; // no getter

uint256 public minimumAmount;

...

}

Risk

Likelihood:

This issue appears every time the contract collects participation fees, since the receiving address cannot be externally verified.
It’s inevitable for any UI or integrator, because the contract doesn’t expose the address for display or validation.

Impact:

Reduces protocol transparency and auditability.
In case of misconfiguration, the owner could accidentally route fees to a wrong address without anyone noticing.

Proof of Concept

Explanation:

There’s no way to query the fee recipient via the blockchain, ABI, or block explorer.
Even verified contract interfaces won’t show the address, creating confusion for end-users and auditors.

function test_FeeAddressNotViewable() public {

// Fee address is private — cannot be read directly

// Users can’t know where fees go

(bool success, ) = address(vault).call(

abi.encodeWithSignature("participationFeeAddress()")

);

assertFalse(success); // fails because variable is private

}

Recommended Mitigation

Explanation:

Making participationFeeAddress public allows frontend display and user verification.
The setParticipationFeeAddress() function ensures controlled updates with proper event logging.
Improves trust, compliance, and operational clarity for both users and integrators.

contract BriVault is ERC4626, Ownable {

- address private participationFeeAddress;

+ address public participationFeeAddress; // ✅ visible to all

+ event ParticipationFeeAddressUpdated(address indexed oldAddress, address indexed newAddress);

+ function setParticipationFeeAddress(address newAddress) external onlyOwner {

+ require(newAddress != address(0), "Invalid address");

+ emit ParticipationFeeAddressUpdated(participationFeeAddress, newAddress);

+ participationFeeAddress = newAddress;

+ }

}

Updates

Appeal created

bube Lead Judge 19 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

193

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!