Multiple Withdrawals Due to Missing Balance Update in Withdraw Function
Summary
The withdraw function in the TokenManager contract allows users to withdraw their token balances. However, the contract doesnt update the userTokenBalanceMap after a successful withdrawal, enabling malicious users to repeatedly withdraw the same amount of tokens.
Vulnerability Details
In the withdraw function, the contract retrieves the claimable token amount from userTokenBalanceMap for the calling user and the specified token. However, after transferring the tokens, the contract does not reset or reduce the balance in userTokenBalanceMap.
As a result, after the initial withdrawal, the user's balance remains unchanged in userTokenBalanceMap, allowing them to call the withdraw function again and withdraw the same amount of tokens repeatedly.
Impact
malicious users can drain tokens from the contract by repeatedly withdrawing the same token amount.
Tools Used
Manual
Recommendations
Update userTokenBalanceMap after Withdrawal: Ensure that after a successful withdrawal, the user's balance in userTokenBalanceMap is reduced by the claimAbleAmount or set to zero.
Lead Judging Commences
finding-TokenManager-withdraw-userTokenBalanceMap-not-reset
Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.