Users can claim much more than their balance when they call the withdraw function.
When users call the withdraw
function, they can claim claimAbleAmount
amount of tokens:
But, the problem is after this claimable amount is transferred to the user, it is never subtracted from the userTokenBalanceMap
mapping. So, the user's balance is never reduced. Hence, a user can call this function several times to withdraw more tokens than their balance, until they drain that token's balance of the contract.
Users can drain the tokens belonging to the TokenManager contract, preventing other users from withdrawing their balance.
Manual review
Subtract claimAbleAmount
from userTokenBalanceMap
mapping.
Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.