Missing updation in withdraw() could lead to draining of all funds
Summary
In the withdraw() function in TokenManager.sol, the userTokenBalanceMap variable is not updated after a withdrawal. This means that a user can continue withdrawing without any change in their balance.
Vulnerability Details
In the withdraw() function, the user can withdraw the amount present in their balance. But after the withdrawal the users balance is not reduced.
This means once a user has userTokenBalanceMap[][][] > 0, they can keep on calling the withdraw function to take out all the funds present in the contract.
Impact
This could lead to complete drainage of funds from the contract.
Tools Used
Manual Review
Recommendations
Update the userTokenBalanceMap in the withdraw function (add the following at line 144 in TokenManager.sol):
Lead Judging Commences
finding-TokenManager-withdraw-userTokenBalanceMap-not-reset
Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.