`withdraw` Function Allows Repeated Withdrawals Without Updating Balance
Summary
The withdraw function in TokenManager.sol does not update the user's balance after a withdrawal, which allows users to withdraw more tokens than they are entitled to by repeatedly calling the function.
Vulnerability Details
Have a look at the withdraw function in TokenManager.sol:
Step-by-step explanation:
a. The function starts by retrieving the claimable amount:
uint256 claimAbleAmount = userTokenBalanceMap[_msgSender()][_tokenAddress][_tokenBalanceType];
b. It then proceeds to transfer this amount to the user, either as wrapped native token or ERC20 token.
c. There's no code to update the user's balance in the userTokenBalanceMap.
d. This means that if the user calls the withdraw function again, the claimAbleAmount will still be the same as before, allowing them to withdraw the same amount again.
e. This process could be repeated multiple times, leading to the user withdrawing more tokens than they should be able to
Impact
Users could repeatedly withdraw the same amount of tokens, effectively draining the capital pool.
Tools Used
Manual Review
Recommendations
Lead Judging Commences
finding-TokenManager-withdraw-userTokenBalanceMap-not-reset
Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.