BriVault

First Flight #52

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Wrong Timestamp Check in _setFinallizedVaultBalance()

objectplayer

Root + Impact

The function validates against the wrong timestamp, checking event start instead of event end.

Description

The _setFinallizedVaultBalance() should only execute after the event ends to lock in the prize pool.
The function incorrectly checks block.timestamp <= eventStartDate when it should check eventEndDate.

function _setFinallizedVaultBalance () internal returns (uint256) {

if (block.timestamp <= eventStartDate) { // @> Wrong - should be eventEndDate

revert eventNotStarted();

}

return finalizedVaultAsset = IERC20(asset()).balanceOf(address(this));

}

Risk

Likelihood:

Called every time setWinner() is executed
Check always passes after event starts (wrong logic)
Could allow premature finalization

Impact:

Logic error in timestamp validation
Doesn't validate what it intends to
Could finalize vault balance while event ongoing
Wrong error message misleads developers

Proof of Concept

Let suppose the event start on Day1 and ends on Day30 and Today is Day-15, and the _setFinallizedVaultBalance() method is called

// eventStartDate = Day 1, eventEndDate = Day 30

// Current time = Day 15 (event ongoing)

vault._setFinallizedVaultBalance()

// Check: Day 15 <= Day 1? NO - passes

// Vault finalized during event!

// New deposits won't be in prize pool

Recommended Mitigation

The issue can be fixed by using of eventEndDate instead of eventStartDate in the if condition of method

function _setFinallizedVaultBalance () internal returns (uint256) {

- if (block.timestamp <= eventStartDate) {

- revert eventNotStarted();

+ if (block.timestamp <= eventEndDate) {

+ revert eventNotEnded();

}

return finalizedVaultAsset = IERC20(asset()).balanceOf(address(this));

}

Updates

Appeal created

bube Lead Judge 19 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

193

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!