BriVault

First Flight #52

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: high

Invalid

Unused Public Variables Returning Misleading Zero Values

accessdenied

Root + Impact

Description

The BriVault contract declares two storage variables, stakedAmount and totalAssetsShares, which appear to track user stakes and total shares in the vault. Normally, user staked balances are tracked via stakedAsset[receiver] and total shares are tracked via ERC4626’s totalSupply().
The problem is that stakedAmount and totalAssetsShares are never updated or used in the code. Since they are declared public, the compiler automatically generates getter functions for them. Any external call to vault.stakedAmount() or vault.totalAssetsShares() will always return 0, giving a misleading view of the vault state.

// Root cause in the codebase with @> marks to highlight the relevant section

@> uint256 public stakedAmount;

@> uint256 public totalAssetsShares;

Risk

Likelihood:

External systems or users query these public getters assuming they reflect actual staked assets or total shares.
Future contract logic attempts to rely on these variables for accounting, distributions, or analytics.

Impact:

External contracts, dashboards, or scripts may report incorrect data, believing the vault has zero staked assets or shares.
Introducing logic that depends on these unused variables could lead to incorrect payouts, calculations, or vulnerabilities.

Proof of Concept

Explanation:
The variables exist and are public, so Solidity generates automatic getter functions. These getters will always return 0 because the variables are never updated in the contract.

function testPublicUnusedVariables() public {

BriVault vault = new BriVault(IERC20(address(mockToken)), 150, block.timestamp + 1 days, address(this), 1 ether, block.timestamp + 10 days);

// Deposit 10 ether for this address

mockToken.mint(address(this), 10 ether);

mockToken.approve(address(vault), 10 ether);

vault.deposit(10 ether, address(this));

// public getters return 0 even after deposit

uint256 totalSharesStored = vault.totalAssetsShares();

uint256 stakedStored = vault.stakedAmount();

assertEq(totalSharesStored, 0, "totalAssetsShares getter returns 0 incorrectly");

assertEq(stakedStored, 0, "stakedAmount getter returns 0 incorrectly");

}

Recommended Mitigation

Remove the unused public variables to prevent misleading external queries and reduce the risk of future misuse.

- uint256 public stakedAmount;

- uint256 public totalAssetsShares;

+ // removed; actual data is tracked via stakedAsset mapping and ERC4626 totalSupply()

Updates

Appeal created

bube Lead Judge 19 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Gas optimizations

Gas optimizations are invalid according to the CodeHawks documentation.

Rewards breakdown

nSLOC

193

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!