Constructor fails to validate event start and end dates, allowing invalid or past timestamps that trigger arithmetic overflow or inconsistent event lifecycles.

Description

• The BriVault constructor accepts _eventStartDate and _eventEndDate without validating that the start date is in the future and strictly less than the end date.

  When an invalid combination such as _eventStartDate >= _eventEndDate or _eventStartDate < block.timestamp is provided, internal arithmetic (likely _eventEndDate - _eventStartDate) can underflow, causing a panic (0x11) during deployment.

  Even when it doesn’t revert, such initialization leads to a broken vault lifecycle — events may start in the past, making it possible to immediately call functions like setWinner() or making deposits permanently fail.

Risk

Likelihood:

• Reason 1 // Describe WHEN this will occur (avoid using "if" statements)

• Reason 2

Impact:

• Deployment Failure: Constructor panics due to unchecked arithmetic.

• Lifecycle Corruption: Vault may be initialized in an invalid state (e.g., started before deployment).

  
  

• DoS: Deposits or participation actions may revert if the event is considered ended.

  
  

• Logic Abuse: Deployer could immediately finalize an event or trigger setWinner() without fair participation.

Proof of Concept

Execution output:

[FAIL: panic: arithmetic underflow or overflow (0x11)]
test_constructor_allows_invalid_dates() (gas: 3519394)

This panic demonstrates that unsafe arithmetic occurs during initialization when invalid dates are provided.

Recommended Mitigation

Add validation checks in the constructor

This ensures the vault lifecycle is consistent and prevents arithmetic underflow.