BriVault

First Flight #52

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: medium

Invalid

[L-1] The `briVault::setWinner` does not follow the Checks, Effects and Interactions (CEI) pattern

0xliltee

[L-1] The `briVault::setWinner` does not follow the Checks, Effects and Interactions (CEI) pattern

Description

The `briVault::setWinner` violates the checks effects and interactions pattern by updating the winner be for setting the winner to `true`

```solidity

function setWinner(uint256 countryIndex) public onlyOwner returns (string memory) {

if (block.timestamp <= eventEndDate) {

revert eventNotEnded();

}

require(countryIndex < teams.length, "Invalid country index");

if (_setWinner) {

revert WinnerAlreadySet();

}

@> winnerCountryId = countryIndex;

@> winner = teams[countryIndex];

@> _setWinner = true;

_getWinnerShares();

_setFinallizedVaultBalance();

emit WinnerSet (winner);

return winner;

}

```

Risk

Likelihood:

Medium — while not always immediately exploitable, violating the CEI pattern increases the risk of reentrancy or state inconsistency if external calls are made before internal state updates. Exploitation depends on whether the called contracts are untrusted.

Impact:

The impact is likely low but its impoartant that the CEI patterns is properly executed in this code base for proper functionality of the protocol.

Proof of Concept

```diff

function setWinner(uint256 countryIndex) public onlyOwner returns (string memory) {

if (block.timestamp <= eventEndDate) {

revert eventNotEnded();

}

- require(countryIndex < teams.length, "Invalid country index");

if (_setWinner) {

revert WinnerAlreadySet();

}

- winnerCountryId = countryIndex;

- winner = teams[countryIndex];

- _setWinner = true;

_getWinnerShares();

_setFinallizedVaultBalance();

emit WinnerSet (winner);

return winner;

}

```

Recommended Mitigation

- remove this code

+ add this code

Follow the CEI pattern for proper functionality

```diff

+function setWinner(uint256 countryIndex) public onlyOwner returns (string memory) {

+ if (block.timestamp <= eventEndDate) {

+ revert eventNotEnded();

+ }

+ if (_setWinner) {

+ revert WinnerAlreadySet();

+ }

+ require(countryIndex < teams.length, "Invalid country index");

+ _setWinner = true;

+ winnerCountryId = countryIndex;

+ winner = teams[countryIndex];

+ _getWinnerShares();

+ _setFinallizedVaultBalance();

+ emit WinnerSet (winner);

+ return winner;

}

```

Updates

Appeal created

bube Lead Judge 19 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

193

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!

BriVault

[L-1] The `briVault::setWinner` does not follow the Checks, Effects and Interactions (CEI) pattern

[L-1] The briVault::setWinner does not follow the Checks, Effects and Interactions (CEI) pattern

Description

Risk

Proof of Concept

Recommended Mitigation

Appeal created

Rewards breakdown

Live

Judging

Appeals

Appeals Review

Rewards Distribution

FAQs

[L-1] The `briVault::setWinner` does not follow the Checks, Effects and Interactions (CEI) pattern