Root + Impact

Description

The vault allows users to transfer their ERC-4626 shares freely at any time, and also provides a cancelParticipation() function that refunds a user’s full stakedAsset[msg.sender] amount while burning only their current share balance.

Because the cancelParticipation() refund logic depends on stakedAsset[msg.sender] (which is not adjusted when the user transfers shares), an attacker can exploit this by transferring their shares to another address (already joined an event) before requesting a refund.

Impact: The second address participate with free shares on the tournament

Risk

Likelihood: High

• The exploit is trivial: only standard ERC-20 transfer() and ERC-4626 redeem() calls are required. No timing or complex setup is needed.

Impact:

• User with two addresses can participate for free in the tournament

Proof of Concept

Setup:

1. Wallet2 deposits small amount and joins team

2. Attacker deposits 100 ETH → gets 98.5 shares

3. Attacker transfers 98.5 shares to wallet2

4. Attacker calls cancelParticipation() → gets 98.5 ETH refund

5. Wallet2 uses free shares in the tournament

6. Event ends

7. Wallet2 withdraws if it's on the winner team (but anyway it partecipated with free shares)

This can be repeated with many addresses to increase chanse of win and to take the final profit.

Recommended Mitigation

Make shares non-transferable until after event, by overriding _update function.