`TokenManager.withdraw()` doesn't reset user balances after a withdrawal.
Summary
The withdraw() function doesn't reset the userTokenBalanceMap after a withdrawal.
Vulnerability Details
After users withdraw funds using withdraw(), it doesn't reset userTokenBalanceMap.
So users can claim multiple times as long as the capital pool has enough funds.
Impact
Users could withdraw all funds from the capital pool.
Tools Used
Manual Review
Recommendations
withdraw() should reset userTokenBalanceMap after a withdrawal.
Lead Judging Commences
finding-TokenManager-withdraw-userTokenBalanceMap-not-reset
Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.