Tadle

Tadle
DeFi
30,000 USDC
View results
Submission Details
Severity: high
Valid

Missing Reset of User Balance in `withdraw` Function

Summary

The withdraw function in the TokenManager contract does not reset the userTokenBalanceMap for the user after the claimed amount is withdrawn. This oversight can lead to potential multiple withdrawals if the balance is not updated correctly.

Vulnerability Details

Contract: TokenManager
Function: withdraw

Location : https://github.com/tadle-com/market-evm/blob/8fbea7f4513cbeb0104236927d9051510574e673/src/core/TokenManager.sol#L137
Issue: The userTokenBalanceMap is not reset to zero after a user withdraws their tokens. As a result, the same balance could potentially be withdrawn multiple times if the state is not properly updated.

Impact

This issue can lead to unintended behavior and security vulnerabilities, particularly if users can repeatedly withdraw the same balance. It can cause financial losses and compromise the integrity of the smart contract.

Tools Used

Manual code review

Recommendations

Add the following line in the withdraw function to reset the user’s balance:

userTokenBalanceMap[_msgSender()][_tokenAddress][_tokenBalanceType] = 0;

This ensures that the user’s balance is correctly updated after a withdrawal, preventing any possibility of multiple withdrawal.

Suggested Fix:

function withdraw(
address _tokenAddress,
TokenBalanceType _tokenBalanceType
) external whenNotPaused nonReentrant {
uint256 claimAbleAmount = userTokenBalanceMap[_msgSender()][
_tokenAddress
][_tokenBalanceType];
if (claimAbleAmount == 0) {
return;
}
// Updation
(+)userTokenBalanceMap[_msgSender()][_tokenAddress][_tokenBalanceType] = 0;
//Existing code...
}
Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-TokenManager-withdraw-userTokenBalanceMap-not-reset

Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.