Improperly set userTokenBalanceMap in TokenManager:withdraw allows any user to steal all tokens from the capital pool
Summary
The userTokenBalanceMap for users does not change after a user calls the withdraw function in TokenManager.sol. This may lead to a loss of tokens on the CapitalPool contract.
Vulnerability Details
The withdraw function in TokenManager.sol allows a user to withdraw their token balance which is given by the userTokenBalanceMap for the specific user, token and TokenBalanceType. After tokens are withdrawn the userTokenBalanceMap remains unchanged. If the user immediately calls withdraw again with the same arguments then they will be able to withdraw the same amount again.
Impact
Users could repeatedly call withdraw to get any and all tokens from the capital pool contract.
Tools Used
Recommendations
Set userTokenBalanceMap to 0 when a user calls withdraw.
Lead Judging Commences
finding-TokenManager-withdraw-userTokenBalanceMap-not-reset
Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.