Submission Details
Severity:
In `Funciton:deposit`, `_mint` to `msg.sender` instead of `receiver`
[H-3] In Funciton:deposit, _mint to msg.sender instead of receiver
Description
In Funciton:deposit, _mint to msg.sender instead of receiver:
function deposit(uint256 assets, address receiver) public override returns (uint256) {
require(receiver != address(0));
if (block.timestamp >= eventStartDate) {
revert eventStarted();
}
......
@> _mint(msg.sender, participantShares);
......
}
Impact
Assume that userA wants to deposit asset for userB,
but actually userA receives minted shares istead of userB.
Proof of Concepts
Run the test function below in test/briVault.t.sol:
function test_incorrect_mint_in_deposit() public {
vm.startPrank(user1);
mockToken.approve(address(briVault), 5 ether);
briVault.deposit(5 ether, user2);
vm.stopPrank();
assertEq(briVault.balanceOf(user2), 0);
}
Recommended mitigation
function deposit(uint256 assets, address receiver) public override returns (uint256) {
require(receiver != address(0));
if (block.timestamp >= eventStartDate) {
revert eventStarted();
}
......
- _mint(msg.sender, participantShares);
+ _mint(receiver, participantShares);
......
}
Updates
Appeal created
bube 21 days ago
Submission Judgement Published Assigned finding tags:
Shares Minted to msg.sender Instead of Specified Receiver
Rewards breakdown
nSLOC
193This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.