`TokenManager::withdraw` doesn't reset the `userTokenBalanceMap` allowing user to withdraw multiple times
Summary
The TokenManager::withdraw function allows users to claim their tokens which are added in their userTokenBalanceMap, and it sends the whole value of userTokenBalanceMap for a particular user's token's balance type. But it fails to reset it to 0, as a result of which the value in the map will remain the same and user can withdraw multiple times.
Therefore, it should be reset to 0, after every withdraw in order to prevent multiple claims.
Vulnerability Details
The vulnerability is present in the TokenManager::withdraw function starting from line 137, not resetting the userTokenBalanceMap to 0, allowing a user to claim multiple times.
As the map remains unupdated the user will be able to drain the whole Capital Pool, and will have an impact on other user claiming their funds.
Where the function was expected to make the claim only single time, unless the balance is updated by the addTokenBalanceFunction, but due to unupdated map. it results in a user withdrawing multiple time.
Impact
Any user can withdraw multiple times, and cause the CapitalPool to drawn.
Genuine user will not be able to withdraw, as the CapitalPool is drained.
Tools Used
Manual Review
Recommendations
At line 148 in TokenManager update the userTokenBalanceMap to 0, as below:
Lead Judging Commences
finding-TokenManager-withdraw-userTokenBalanceMap-not-reset
Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.