Unlimited Token Withdrawal in `withdraw()` Function
Summary
The issue allows an attacker to repeatedly withdraw funds from the system without updating their balance, enabling them to drain the entire system of its tokens.
Vulnerability Details
The issue is located in the withdraw() function of the tokenManager.sol contract. The function allows users to withdraw their balance as stored in the userTokenBalanceMap. However, after executing a withdrawal, the function fails to update the user's balance in the userTokenBalanceMap. This omission allows an attacker to repeatedly call the withdraw() function and withdraw the same balance multiple times, effectively draining the system of all its tokens.
Impact
An attacker exploiting this flaw could drain the entire system of its tokens, leading to a complete loss of funds.
Tools Used
Manual Review
Recommendations
Modify the withdraw() function to ensure that the userTokenBalanceMap is updated correctly after each withdrawal. This can be done by deducting the withdrawn amount from the user's balance immediately after the transfer.
Lead Judging Commences
finding-TokenManager-withdraw-userTokenBalanceMap-not-reset
Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.