BriVault

First Flight #52

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Finalized Vault Balance Timing Check - Incorrect Timing Verification in _setFinallizedVaultBalance()

ke5haav

Root + Impact

Description

The _setFinallizedVaultBalance() function is called from setWinner() to capture the vault balance at the end of the event for winner payout calculations. Under normal behavior, this function should verify that the event has ended before finalizing the balance, ensuring accurate calculations for winner payouts.
However, the function on line 146 checks block.timestamp <= eventStartDate, which verifies if the event has started, not if it has ended. While setWinner() already ensures block.timestamp > eventEndDate before calling this function, the check in _setFinallizedVaultBalance() is checking the wrong condition. The function should verify that block.timestamp > eventEndDate to ensure the event has ended before finalizing the balance. This creates a logic inconsistency and could cause issues if the function is ever called from other contexts or if the code is refactored in the future.

// In setWinner() - line 117

if (block.timestamp <= eventEndDate) {

revert eventNotEnded(); // Ensures event has ended

}

// In _setFinallizedVaultBalance() - line 146

@>if (block.timestamp <= eventStartDate) { // Checks if event has STARTED, not ENDED

revert eventNotStarted();

}

Risk

Likelihood

This logic error occurs whenever _setFinallizedVaultBalance() is called, as it checks the wrong timing condition, verifying event start instead of event end
The bug manifests as a logic inconsistency that, while currently mitigated by setWinner()'s check, could cause issues if the function is refactored or called from other contexts

Impact

The timing check is incorrect and doesn't verify the intended condition (event end), creating a logic inconsistency in the codebase
If the function is ever called from other contexts or the code is refactored, the incorrect check could allow premature finalization before the event ends, leading to incorrect payout calculations

Proof of Concept

function testFinalizedVaultBalanceTiming() public {

uint256 eventStart = briVault.eventStartDate();

uint256 eventEnd = briVault.eventEndDate();

assertGt(eventEnd, eventStart, "Event end should be after start");

// At eventStartDate + 1, check would pass but event hasn't ended

vm.warp(eventStart + 1);

// _setFinallizedVaultBalance() check: block.timestamp > eventStartDate ✓

// But event hasn't ended yet! Should check eventEndDate

// At eventEndDate + 1, check would pass (correct)

vm.warp(eventEnd + 1);

// _setFinallizedVaultBalance() check: block.timestamp > eventStartDate ✓

// Event has ended ✓

// Issue: Checks event START, should check event END

// Should check: block.timestamp <= eventEndDate

// Actually checks: block.timestamp <= eventStartDate

}

Explanation of PoC:

This proof of concept demonstrates the incorrect timing check. The test shows that _setFinallizedVaultBalance() checks if the event has started, but it should check if the event has ended. While the current implementation is protected by setWinner()'s check, the logic is incorrect.

Test Results:

✅ _setFinallizedVaultBalance() checks block.timestamp <= eventStartDate
✅ Should check block.timestamp <= eventEndDate instead
✅ Logic inconsistency confirmed

Recommended Mitigation

Explanation:

The recommended mitigation corrects the timing check to verify that the event has ended, not just started. This ensures the function correctly validates the timing condition and maintains consistency with the intended behavior.

function _setFinallizedVaultBalance () internal returns (uint256) {

- if (block.timestamp <= eventStartDate) {

- revert eventNotStarted();

+ if (block.timestamp <= eventEndDate) {

+ revert eventNotEnded();

}

return finalizedVaultAsset = IERC20(asset()).balanceOf(address(this));

}

Updates

Appeal created

bube Lead Judge 21 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

193

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!