BriVault
First Flight #52
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: low
Invalid

Lack of validation for participationFeeAddress allows misdirected or lost fees

eze001

Root + Impact

Description

  • Normally, participationFeeAddress should always be a valid, nonzero address that securely receives participation fees deducted from user deposits.

  • However, the contract never validates this address during construction or when fees are transferred in deposit(). If the deployer mistakenly passes a zero address or an incorrect destination, the fee transfer will either revert (for zero address) or send tokens to an unintended wallet, resulting in lost funds.

// Root cause in the codebase with @> marks to highlight the relevant section
constructor (
IERC20 _asset,
uint256 _participationFeeBsp,
uint256 _eventStartDate,
@> address _participationFeeAddress,
uint256 _minimumAmount,
uint256 _eventEndDate
) ERC4626(_asset) ERC20("BriTechLabs", "BTT") Ownable(msg.sender) {
if (_participationFeeBsp > PARTICIPATIONFEEBSPMAX) {
revert limiteExceede();
}
participationFeeBsp = _participationFeeBsp;
eventStartDate = _eventStartDate;
eventEndDate = _eventEndDate;
@> participationFeeAddress = _participationFeeAddress; // no validation here
minimumAmount = _minimumAmount;
_setWinner = false;
}

Risk

Likelihood:

  • Occurs whenever the deployer mistakenly provides a zero or invalid _participationFeeAddress.

  • Also possible if the project later upgrades or integrates external fee logic without proper verification of the existing address.

Impact:

  • Impact 1: If set to the zero address, fee transfers in deposit() will revert, blocking all deposits.

  • Impact 2: If set to an incorrect or compromised address, participation fees could be permanently lost or misappropriated.

Proof of Concept

Observed Effect:
Deposits revert or send tokens to unintended addresses, depending on the constructor parameter.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.24;
contract PoC_InvalidFeeAddress {
IERC20 token;
BriVault vault;
constructor(IERC20 _token) {
token = _token;
// deploy vault with zero fee address
vault = new BriVault(_token, 100, block.timestamp + 1 days, address(0), 1 ether, block.timestamp + 10 days);
}
function triggerDeposit() external {
// will revert or misdirect fees due to zero address
vault.deposit(1 ether, msg.sender);
}
}

Recommended Mitigation

**Explanation: **This check ensures participationFeeAddress is a valid address during deployment, preventing funds from being misdirected or lost due to configuration errors.

constructor (
IERC20 _asset,
uint256 _participationFeeBsp,
uint256 _eventStartDate,
address _participationFeeAddress,
uint256 _minimumAmount,
uint256 _eventEndDate
) ERC4626(_asset) ERC20("BriTechLabs", "BTT") Ownable(msg.sender) {
if (_participationFeeBsp > PARTICIPATIONFEEBSPMAX) {
revert limiteExceede();
}
+ require(_participationFeeAddress != address(0), "Invalid fee address");
participationFeeBsp = _participationFeeBsp;
eventStartDate = _eventStartDate;
eventEndDate = _eventEndDate;
participationFeeAddress = _participationFeeAddress;
minimumAmount = _minimumAmount;
_setWinner = false;
}
Updates

Appeal created

bube Lead Judge 19 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Missing Constructor Validation

This is owner action and the owner is assumed to be trusted and to provide correct input arguments.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!