BriVault
First Flight #52
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: medium
Invalid

Funds Stuck if User Deposits but Doesn't Join

cryptostellar5

Root + Impact

Description

  • Users can deposit without calling joinEvent() function

  • After eventStartDateThey cannot cancel, and cannot use custom withdraw() (requires joining and winning). These funds are permanently stuck, effectively donated to the winners.

Risk

Likelihood:

  • When the user uses the deposit() function to deposit the funds, but does not utilize the joinEvent() function and the event starts.

Impact:

  • User A deposits 100 before eventStartDate but doesn't call joinEvent().
    After eventStartDate the user cannot cancel (revert eventStarted()) or withdraw the deposited amount.

Proof of Concept

function test_cancelParticipation_afterEventStart() public {
vm.startPrank(user1);
mockToken.approve(address(briVault), 5 ether);
briVault.deposit(5 ether, user1);
vm.warp(eventStartDate + 4);
vm.expectRevert(abi.encodeWithSignature("eventStarted()"));
briVault.cancelParticipation();
vm.stopPrank();
}

Recommended Mitigation

Combine the deposit and join into one function (e.g., depositAndJoin(uint256 assets, uint256 countryId)).

Updates

Appeal created

bube Lead Judge 21 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!