BriVault

First Flight #52

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

Missing `brivault::cancelParticipation` Event, Lead to silent refunds & broken off-chain tracking/auditability

chain__warden

Missing `brivault::cancelParticipation` Event, Lead to silent refunds & broken off-chain tracking/auditability.

Description

When a participant calls cancelParticipation(), their refund and share burn are processed correctly, but no event is emitted to record this action on-chain, As a result, off-chain systems (indexers, dashboards, and auditors) cannot detect or track user cancellations, leading to broken off-chain transparency and inconsistent analytics.

function cancelParticipation () public {

if (block.timestamp >= eventStartDate){

revert eventStarted();

}

uint256 refundAmount = stakedAsset[msg.sender];

stakedAsset[msg.sender] = 0;

uint256 shares = balanceOf(msg.sender);

_burn(msg.sender, shares);

IERC20(asset()).safeTransfer(msg.sender, refundAmount);

}

Risk

Likelihood:

This happens every time a participant cancels their Participation.

Impact:

No event or record is made

Proof of Concept

Put this test into `briVault.t.sol` to prove that no event occurs after a `cancelParticipation` function is called.

```javescript

function test_CancelParticipation_NoEventEmitted() public {

// Owner sets countries (realistic setup)

vm.startPrank(owner);

briVault.setCountry(countries);

vm.stopPrank();

// user1 deposits and joins an event

vm.startPrank(user1);

mockToken.approve(address(briVault), 5 ether);

briVault.deposit(5 ether, user1);

briVault.joinEvent(10);

vm.stopPrank();

// Tell Foundry to monitor for any emitted event

vm.expectEmit(false, false, false, false);

// Execute cancelParticipation

vm.startPrank(user1);

briVault.cancelParticipation();

vm.stopPrank();

// If no event was emitted, print confirmation

console.log("No event emitted after cancelParticipation()");

}

```

Recommended Mitigation

1. Define and emit a `ParticipationCancelled` event at the end of the function to ensure off-chain tracking and auditabilit.

```diff

function cancelParticipation () public {

if (block.timestamp >= eventStartDate){

revert eventStarted();

}

uint256 refundAmount = stakedAsset[msg.sender];

stakedAsset[msg.sender] = 0;

uint256 shares = balanceOf(msg.sender);

_burn(msg.sender, shares);

IERC20(asset()).safeTransfer(msg.sender, refundAmount);

+ emit ParticipationCancelled(msg.sender, refundAmount, shares);

}

+ event ParticipationCancelled(address indexed user, uint256 refundAmount, uint256 burnedShares);

```

Updates

Appeal created

bube Lead Judge 20 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

193

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!

BriVault

Missing `brivault::cancelParticipation` Event, Lead to silent refunds & broken off-chain tracking/auditability

Missing brivault::cancelParticipation Event, Lead to silent refunds & broken off-chain tracking/auditability.

Description

Risk

Proof of Concept

Recommended Mitigation

Appeal created

Rewards breakdown

Live

Judging

Appeals

Appeals Review

Rewards Distribution

FAQs

Missing `brivault::cancelParticipation` Event, Lead to silent refunds & broken off-chain tracking/auditability.