Submission Details
Impact:
Likelihood:
[L-2] Redundant and Misplaced Timestamp Check in `briVault::_setFinallizedVaultBalance()`
[L-2] Redundant and Misplaced Timestamp Check in briVault::_setFinallizedVaultBalance()
Description
The internal function `briVault::_setFinallizedVaultBalance()` checks whether block.`timestamp > eventStartDate` before recording the vault balance. However, it is called within `setWinner()`, which already ensures `block.timestamp > eventEndDate`. Because the event end time is necessarily after the start time, the additional check is redundant and logically misplaced.
Additionally, the function assigns and returns `finalizedVaultAsset` in a single statement, which reduces code readability. No validation exists to prevent multiple finalizations or zero-balance states.
Furthermore, the contract lacks proper NatSpec documentation for key functions, forcing reliance on external README files for understanding behavior. This increases maintenance burden and misunderstanding risk.
```solidity
function _setFinallizedVaultBalance () internal returns (uint256) {
@> if (block.timestamp <= eventStartDate) {
@> revert eventNotStarted();
@> }
return finalizedVaultAsset = IERC20(asset()).balanceOf(address(this));
}
```
Risk
Likelihood:
-
Reason 1 // Describe WHEN this will occur (avoid using "if" statements)
-
Reason 2
Impact:
1. Minor logical confusion in time validation flow.
2. Slight gas inefficiency due to redundant conditional.
3. Could cause unintended revert if eventStartDate and eventEndDate are close or equal.
Proof of Concept
Recommended Mitigation
- remove this code
+ add this code
1. Alternatively, handle vault finalization earlier and keep the logic separated from the winner selection flow.
2. Add state checks for non-zero and single finalization.
3. Refactor combined assignment-return for clarity.
4. Implement proper Natspec for better clarity of the code base.
```diff
+ function _setFinallizedVaultBalance () internal returns (uint256) {
- if (block.timestamp <= eventStartDate) {
- revert eventNotStarted();
- }
- return finalizedVaultAsset = IERC20(asset()).balanceOf(address(this));
- }
+ /// @notice Records the vault’s asset balance once the event has started.
+ /// @dev Should not be called more than once.
+ /// @return The finalized vault balance.
+ function _setFinalizedVaultBalance() internal returns (uint256) {
+ if (finalizedVaultAsset != 0) revert AlreadyFinalized();
+ uint256 balance = IERC20(asset()).balanceOf(address(this));
+ if (balance == 0) revert EmptyVault();
+ finalizedVaultAsset = balance;
+ return balance;
}
```
Rewards breakdown
nSLOC
193This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.