[H-1] `userTokenBalanceMap` is never updated while withdrawing, causing protocol to be drained.
Relevant Links
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/TokenManager.sol#L137-L189
Summary
userTokenBalanceMap is never updated while withdrawing, causing protocol to be drained.
Vulnerability Details
When a user has gained any funds through any of the multiple ways (see PreMarket.sol and DeliveryPlace.sol), their userTokenBalanceMap is updated. When a user has any balance, they can withdraw the gained amount by calling TokenManager::withdraw function.
However, userTokenBalanceMap is never updated on calling TokenManager::withdraw, allowing a malicious user to be able to drain the particular ERC20 token from the CapitalPool contract by withdrawing multiple times.
Impact
Likelihood: High - userTokenBalanceMap is never updated
Impact: High - Theft of funds
Overall severity is high.
Tools Used
Manual Review
Recommendations
Update userTokenBalanceMap when tokens are transferred.
Lead Judging Commences
finding-TokenManager-withdraw-userTokenBalanceMap-not-reset
Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.