BriVault

First Flight #52

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

`BriVault::deposit` should emit standard event Deposit, emits different one

alexscherbatyuk

Root + Impact

Description

The BriVault contract overrides the deposit function from ERC4626 to incorporate custom logic for tournament participation fees and staked asset tracking, minting shares based on net assets after fee deduction and emitting events to log the transaction.
However, instead of emitting the standard ERC4626::Deposit event with required parameters (address indexed sender, address indexed owner, uint256 assets, uint256 shares), the implementation emits a custom deposited event with non-standard parameters (address receiver, uint256 stakeAsset), violating ERC4626 compliance and potentially breaking integrations that rely on standardized event logs for indexing and UI updates.

// Root cause in the codebase with @> marks to highlight the relevant section

function deposit(uint256 assets, address receiver) public override returns (uint256) {

// Custom logic for fees and staking

...

@> emit deposited(receiver, stakeAsset);

}

Risk

Likelihood:

Frontends and indexers parse transaction logs expecting the standard Deposit event during any deposit call.
Integrations with wallets or analytics tools assume ERC4626 event signatures without reviewing custom overrides.

Impact:

User interfaces fail to display deposit confirmations or balances correctly, leading to poor UX and user confusion.
Protocol composability breaks, as dependent contracts or services cannot reliably track deposits, causing indexing errors or silent failures.

Proof of Concept

Add the following code snippet to the briVault.t.sol test file.

This test verifies that the BriVault::deposit function emits a custom event instead of the standard Deposit.

event deposited(address indexed _depositor, uint256 _value);

function test_depositEmitsCustomEvent() public {

vm.startPrank(user1);

mockToken.approve(address(briVault), 5 ether);

vm.expectEmit(true, true, false, false);

emit deposited(user1, 5 ether);

briVault.deposit(5 ether, user1);

vm.stopPrank();

}

Recommended Mitigation

Use standard event Deposit(address indexed sender, address indexed owner, uint256 assets, uint256 shares).

- emit deposited(receiver, stakeAsset);

+ emit Deposit(msg.sender, receiver, assets, shares);

Updates

Appeal created

bube Lead Judge 19 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

alexscherbatyuk Submitter

19 days ago

bube Lead Judge

15 days ago

bube Lead Judge 15 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

193

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!