Pool drained by repeated `withdraw()` calls due to missing balance update
Summary
The TokenManager::withdraw() function does not update the userTokenBalanceMap after a withdrawal is made. This allows users to repeatedly call the withdraw() function to drain the pool, as the token balance in the mapping remains unchanged even after tokens are claimed.
Vulnerability Details
In the TokenManager contract, the userTokenBalanceMap[accountAddress][tokenAddress][tokenBalanceType] mapping tracks the token balance for each user, which can be claimed via the withdraw() function. The withdraw() function retrieves the claimAbleAmount from this mapping and sends the corresponding tokens to the user.
However, after sending the tokens to the user, the function fails to update the userTokenBalanceMap to reflect the withdrawn amount. This allows the user to repeatedly call the withdraw() function, each time receiving the same amount of tokens, effectively draining the pool.
Impact
This vulnerability allows malicious users to drain the pool by repeatedly withdrawing the same balance.
Tools Used
vscode
Recommendations
The withdraw() function should properly update the userTokenBalanceMap after each withdrawal.
Lead Judging Commences
finding-TokenManager-withdraw-userTokenBalanceMap-not-reset
Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.