Tadle

Tadle
DeFiFoundry
27,750 USDC
View results
Submission Details
Severity: high
Valid

Users can claim much more than their balance when they call the withdraw function

Summary

Users can claim much more than their balance when they call the withdraw function.

Vulnerability Details

When users call the withdraw function, they can claim claimAbleAmountamount of tokens:

uint256 claimAbleAmount = userTokenBalanceMap[_msgSender()][_tokenAddress][_tokenBalanceType];

But, the problem is after this claimable amount is transferred to the user, it is never subtracted from the userTokenBalanceMap mapping. So, the user's balance is never reduced. Hence, a user can call this function several times to withdraw more tokens than their balance, until they drain that token's balance of the contract.

Impact

Users can drain the tokens belonging to the TokenManager contract, preventing other users from withdrawing their balance.

Tools Used

Manual review

Recommendations

Subtract claimAbleAmount from userTokenBalanceMap mapping.

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-TokenManager-withdraw-userTokenBalanceMap-not-reset

Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.