Users calling `Withdraw(...)` function via meta-transaction will lose their ether
Summary
Inconsistent use of OpenZeppelin's Context contract in TokenManager.sol can lead to a loss of Ether for users who invoke the withdraw(...) function through a meta-transaction. The Ether will be sent to the forwarder's/relayer's address (the last caller) instead of the original user's address, causing a potential loss of funds for the user.
Vulnerability Details
The TokenManager.sol contract employs OpenZeppelin's Context contract to support meta-transactions. However, within the withdraw(...) function, the contract uses msg.sender instead of msgSender() when transferring Ether. This inconsistency causes Ether to be sent to the forwarder/relayer's address, rather than the original user's address, when the function is called via a meta-transaction.
Impact
Users invoking the withdraw(...) function via a meta-transaction will lose their Ether, as the funds will be transferred to the relayer instead of the original user.
Tools Used
Manual code review.
Recommendations
Replace msg.sender with msgSender() in the withdraw(...) function to ensure that the Ether is transferred to the original caller's address, preserving the integrity of meta-transaction functionality in TokenManager.sol.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.