Unlimited withdrawals as `userTokenBalanceMap` is not updated
Summary
An attacker can withdraw the entire balance of the protocol because the map userTokenBalanceMap storing the balances of users is not updated at the end of withdraw function in TokenManager.sol
Vulnerability Details
If we look at the function withdraw (https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/TokenManager.sol#L137-L189), it reads the user balance from the map userTokenBalanceMap and stores it in claimAbleAmount. But the mapping is never updated by reducing the claimAbleAmount from the map userTokenBalanceMap.
Impact
Loss of entire user funds held by the protocol.
Tools Used
Manual Review
Recommendations
Add the following line before the tokens are transferred to the caller to update the user balance held within the protocol.
userTokenBalanceMap[_accountAddress][_tokenAddress][_tokenBalanceType] -= claimAbleAmount;
Lead Judging Commences
finding-TokenManager-withdraw-userTokenBalanceMap-not-reset
Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.