BriVault

First Flight #52

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Medium: Constructor Allows Past `eventStartDate` — Blocks Deposits, Allows Immediate `setWinner()`

mnusurov

Medium: Constructor Allows Past `eventStartDate` — Blocks Deposits, Allows Immediate `setWinner()`

Description

Constructor accepts any eventStartDate — including past timestamps.
If eventStartDate < block.timestamp → deposit() reverts with eventStarted().

function deposit(...) public override {

if (block.timestamp >= eventStartDate) {

revert eventStarted(); // @> Blocks deposit if start date in past

}

...

}

Risk

Likelihood:

Deploy with eventStartDate in past — one deployment.

Impact:

No one can deposit — protocol unusable.
Owner can call setWinner() immediately — no event, no participation.
User confusion + DoS.

Proof of Concept

file test/BriVaultExploitTest.t.sol

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

// solhint-disable-next-line no-unused-import

import {IERC20Errors} from "@openzeppelin/contracts/token/ERC20/ERC20.sol";

import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";

import {Math} from "@openzeppelin/contracts/utils/math/Math.sol";

import {Test} from "forge-std/Test.sol";

import {BriVault} from "../src/briVault.sol";

import {MockERC20} from "./MockErc20.t.sol";

abstract contract BriVaultExploitTest is Test {

using Math for uint256;

uint256 internal constant FEE_BASE = 10000;

uint256 internal constant FEE_BSP = 100; // 1%

uint256 internal constant AFTER_FEE = FEE_BASE - FEE_BSP;

uint256 internal constant MIN_AMOUNT = 0.001 ether;

uint256 internal constant ATTACKER_AMOUNT = 1 ether;

uint256 internal constant USER1_AMOUNT = 5 ether;

uint256 internal constant WINNER_COUNTRY_ID = 0;

uint256 internal immutable startTime = block.timestamp + 1 days;

uint256 internal immutable endTime = startTime + 30 days;

MockERC20 internal immutable token = new MockERC20("Mock", "MTK");

BriVault internal vault;

address internal owner = makeAddr("owner");

address internal attacker1 = makeAddr("attacker1");

address internal attacker2 = makeAddr("attacker2");

address internal user1 = makeAddr("user1");

address internal feeAddr = makeAddr("feeAddr");

string[48] internal countries;

uint256 internal totalWinnerShares;

uint256 internal finalizedVaultAsset;

function setUp() external {

for (uint256 i = 0; i < 48; i++) countries[i] = vm.toString(i);

_deployVault(MIN_AMOUNT);

_deposit(attacker1, attacker1, ATTACKER_AMOUNT);

_deposit(user1, user1, USER1_AMOUNT);

}

function _deployVault(uint256 minAmount) internal {

vm.startPrank(owner);

vault = new BriVault({

_asset: IERC20(address(token)),

_participationFeeBsp: FEE_BSP,

_eventStartDate: startTime,

_participationFeeAddress: feeAddr,

_minimumAmount: minAmount,

_eventEndDate: endTime

});

vault.setCountry(countries);

vm.stopPrank();

}

function _deposit(address user, address receiver, uint256 assets) internal {

token.mint(user, assets);

vm.startPrank(user);

token.approve(address(vault), assets);

vault.deposit(assets, receiver);

vm.stopPrank();

finalizedVaultAsset += assets.mulDiv(AFTER_FEE, FEE_BASE);

}

function _joinEvent(address user, uint256 countryId) internal {

vm.prank(user);

vault.joinEvent(countryId);

if (countryId == WINNER_COUNTRY_ID) totalWinnerShares += vault.balanceOf(user);

}

function _withdraw(address user, uint256 userShares, string memory label) internal returns (uint256 userBalance) {

vm.prank(user);

vault.withdraw();

userBalance = userShares.mulDiv(finalizedVaultAsset, totalWinnerShares);

assertEq(userBalance, token.balanceOf(user), string(abi.encodePacked(label, " wrong balance")));

}

function _erc4626RedeemOrWithdraw(bool useRedeem, address user, string memory label) internal {

uint256 amountShares = vault.balanceOf(user);

uint256 amountAssets = vault.convertToShares(amountShares);

vm.prank(user);

useRedeem ? vault.redeem(amountShares, user, user) : vault.withdraw(amountAssets, user, user);

assertEq(

token.balanceOf(user),

amountAssets,

string(abi.encodePacked(label, " did not receive correct amount"))

);

}

function _endEventAndSetWinner() internal {

vm.warp(endTime + 1 seconds);

vm.prank(owner);

vault.setWinner(WINNER_COUNTRY_ID);

}

file test/PocM01.t.sol

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import {BriVaultExploitTest, BriVault} from "./BriVaultExploitTest.t.sol";

contract PocM01 is BriVaultExploitTest {

function test_mediumConstructorWithPastDatesBlocksDepositsAndAllowsImmediateSetWinner() external {

// Step 1: Warp to future, deploy with eventStartDate in past

vm.warp(block.timestamp + 100 days);

_deployVault(MIN_AMOUNT);

// Step 2: Try deposit — reverts

token.mint(user1, USER1_AMOUNT);

vm.startPrank(user1);

token.approve(address(vault), USER1_AMOUNT);

vm.expectRevert(abi.encodeWithSelector(BriVault.eventStarted.selector));

vault.deposit(USER1_AMOUNT, user1);

vm.stopPrank();

// Step 3: Owner sets winner immediately — succeeds

vm.prank(owner);

vault.setWinner(WINNER_COUNTRY_ID);

assertEq(vault.winner(), countries[WINNER_COUNTRY_ID], "Winner set with no event");

assertEq(vault.numberOfParticipants(), 0, "No participants");

}

Recommended Mitigation

+error InvalidStartDate();

+error InvalidEndDate();

...

constructor(

IERC20 _asset,

uint256 _participationFeeBsp,

uint256 _eventStartDate,

address _participationFeeAddress,

uint256 _minimumAmount,

uint256 _eventEndDate

) ERC4626(_asset) ERC20("BriTechLabs", "BTT") Ownable(msg.sender) {

if (_participationFeeBsp > PARTICIPATIONFEEBSPMAX) revert limiteExceede();

+ if (_eventStartDate <= block.timestamp) revert InvalidStartDate();

+ if (_eventEndDate <= _eventStartDate) revert InvalidEndDate();

participationFeeBsp = _participationFeeBsp;

eventStartDate = _eventStartDate;

eventEndDate = _eventEndDate;

participationFeeAddress = _participationFeeAddress;

minimumAmount = _minimumAmount;

_setWinner = false;

}

...

Updates

Appeal created

bube Lead Judge 19 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Missing Constructor Validation

This is owner action and the owner is assumed to be trusted and to provide correct input arguments.

Rewards breakdown

nSLOC

193

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!

BriVault

Medium: Constructor Allows Past `eventStartDate` — Blocks Deposits, Allows Immediate `setWinner()`

Medium: Constructor Allows Past eventStartDate — Blocks Deposits, Allows Immediate setWinner()

Description

Risk

Proof of Concept

Recommended Mitigation

Appeal created

Missing Constructor Validation

Rewards breakdown

Live

Judging

Appeals

Appeals Review

Rewards Distribution

FAQs

Medium: Constructor Allows Past `eventStartDate` — Blocks Deposits, Allows Immediate `setWinner()`