Root + Impact

Description

• When a user makes multiple deposits into the vault before the event starts, each deposit should accumulate their total staked amount and issue additional vault shares proportionally. The stakedAsset[user] mapping should reflect the total net amount staked (after fees), so that cancelParticipation() can refund the correct amount and joinEvent() uses accurate share data.

• The deposit() function overwritesstakedAsset[receiver] with each new deposit instead of adding to it. This causes the contract to permanently lose track of the user's full staked amount after the first deposit.

Risk

Likelihood:

• Users will make multiple deposits during the pre-event phase to increase their position or correct underfunding, this is a normal and expected behavior in DeFi vaults.

• The contract allows repeated calls to deposit() with no restriction, nothing prevents or warns about overwriting.

Impact:

• On cancelParticipation(), only the laststakedAsset value is refunded, but all shares are burned resulting in permanent loss of assets from prior deposits.

• If the user joins the event after multiple deposits, userSharesToCountry uses balanceOf(msg.sender) (correct total), but stakedAsset is wrong, creates inconsistency. If cancel is used, funds vanish.

Proof of Concept

The test demonstrates that two deposits (1 ETH + 2 ETH) result in stakedAsset[user] being incorrectly set to 1.97 ETH instead of the expected 2.955 ETH due to the = overwrite. When cancelParticipation() is called, only the last stake (1.97 ETH) is refunded despite burning all shares, causing a permanent loss of 0.985 ETH.

Recommended Mitigation

The original = operator overwrites the previous stakedAsset value, causing prior deposits to be forgotten. Using += accumulates the total staked amount, ensuring cancelParticipation() refunds the full amount and internal accounting remains consistent with issued shares. This is required for safe multi-deposit support.