User can drain all funds from the protocol
Summary
Malcious user can drain all funds from the protocol
Vulnerability Details
Funds are added to a user's userTokenBalanceMap through various ways by respective contracts, either from sale of points or getting collateral anything.
The issue stems from when a malicious user tries to withdraw with TokenManager.withdraw() , their accounting balance isn't decuted or set to zero, so they can keep coming back and keep withdrawing until all protocol funds are drained.
Impact
All protocol funds are drained or lost
Tools Used
Manual review
Recommendations
After a user is done withdrawing set the userTokenBalanceMap to zero in TokenManager.sol since there is no option to withdraw part of funds
Lead Judging Commences
finding-TokenManager-withdraw-userTokenBalanceMap-not-reset
Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.