Missing Reset of User Balance in `withdraw` Function
Summary
The withdraw function in the TokenManager contract does not reset the userTokenBalanceMap for the user after the claimed amount is withdrawn. This oversight can lead to potential multiple withdrawals if the balance is not updated correctly.
Vulnerability Details
Contract: TokenManager
Function: withdraw
Location : https://github.com/tadle-com/market-evm/blob/8fbea7f4513cbeb0104236927d9051510574e673/src/core/TokenManager.sol#L137
Issue: The userTokenBalanceMap is not reset to zero after a user withdraws their tokens. As a result, the same balance could potentially be withdrawn multiple times if the state is not properly updated.
Impact
This issue can lead to unintended behavior and security vulnerabilities, particularly if users can repeatedly withdraw the same balance. It can cause financial losses and compromise the integrity of the smart contract.
Tools Used
Manual code review
Recommendations
Add the following line in the withdraw function to reset the user’s balance:
This ensures that the user’s balance is correctly updated after a withdrawal, preventing any possibility of multiple withdrawal.
Suggested Fix:
Lead Judging Commences
finding-TokenManager-withdraw-userTokenBalanceMap-not-reset
Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.