Capital pool can be drained via reentrancy
Summary
Due to missing state update in the TokenManager::withdraw(...)function, a user can drain the capital pool and steal funds.
Vulnerability Details
The TokenManager::withdraw(...)function can be called by eligible users who have claimable tokenBalanceType of a particular token.
However, the userTokenBalance[][][]is not updated for every withdrawal a user makes for a given tokenBalanceTypeof a particular _tokenAddressand as such a user can continue to call withdraw with the same parameters for the same tokenBalanceTypeand empty the capitalPoolAddr.
Impact
Theft of users funds in the deposit pool due to reentrancy
Tools Used
Manual review
Recommendations
Update the TokenManager::withdraw(...)function as shown below
Lead Judging Commences
finding-TokenManager-withdraw-userTokenBalanceMap-not-reset
Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.