BriVault

First Flight #52

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: medium

Invalid

Users can deposit after the event starts

minionteechs

Root + Impact

Description

Normal behavior:
Users should only be able to deposit before the tournament starts, and deposits made after the event starts should be rejected.
Specific issue:
The deposit() function checks the timestamp only against eventStartDate:
The timestamp comparison uses >= with eventStartDate.
However, there is no check against eventEndDate or any other mechanism to enforce strict deposit windows.
Coupled with a potential misconfiguration of eventStartDate or front-running, users could still deposit near the start time and manipulate participation.

// Root cause in the codebase with @> marks to highlight the relevant section

@> function deposit(uint256 assets, address receiver) public override returns (uint256) {

@> if (block.timestamp >= eventStartDate) {

@> revert eventStarted();

@> }

Risk

Likelihood:

This occurs whenever a user deposits at or after the exact eventStartDate, due to inclusive >= check.

This occurs if eventStartDate is misconfigured (too close to deployment or current timestamp), allowing late deposits to bypass intended restrictions.

Impact:

Users depositing late may gain unfair advantage by joining with knowledge of early deposits.

Could distort totalParticipantShares and reward calculations.

Could allow fraudulent or accidental deposits after the event effectively started.

Proof of Concept

Explanation:

If the attack is timed correctly, the user deposits after the event effectively begins, which may give unfair allocation of shares relative to others.

contract LateDepositAttack {

function exploit(BriVault vault, uint256 amount) external {

// Attempt deposit immediately after eventStartDate

vault.deposit(amount, msg.sender);

}

Recommended Mitigation

Brief explanation:

Enforce a strict deposit window using both eventStartDate and eventEndDate.
Consider including a modifier or require statement:
Ensure front-end validations match the on-chain checks.

- remove this code

+ add this code

+ require(block.timestamp < eventStartDate, "Deposits closed: event started");

+ require(block.timestamp < eventEndDate, "Deposits closed: event ended");

Updates

Appeal created

bube Lead Judge 19 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

193

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!