Missing Decrease of Funds on Withdrawal Allows Users to Drain Protocol Balance
Description:
A maker can withdraw other makers' collateral due to the protocol not decreasing the maker's balance upon withdrawal.
This allows a maker to repeatedly call the withdraw function until the entire protocol balance is depleted.
In Tadle, a maker deposits collateral to create an offer and can abort the offer to retrieve the collateral.
A malicious actor can exploit this by depositing collateral, creating an offer, aborting it, and then withdrawing repeatedly.
Impact:
The protocol's balance can be fully drained by a malicious actor, leading to a total loss of funds for the protocol.
Proof of Concept:
bob (malicious actor) deposits Weth tokens as collateral and initiates an offer.
additional users also deposit weth tokens as collateral and initiate their own offers.
bob abort the ask offer and prepares to reclaim his collateral.
bob continuously invokes the withdraw function until the contract's entire balance is drained.
Recommended Mitigation:
Add a balance decrease mechanism in the withdraw function.
Lead Judging Commences
finding-TokenManager-withdraw-userTokenBalanceMap-not-reset
Valid critical severity finding, the lack of clearance of the `userTokenBalanceMap` mapping allows complete draining of the CapitalPool contract. Note: This would require the approval issues highlighted in other issues to be fixed first (i.e. wrong approval address within `_transfer` and lack of approvals within `_safe_transfer_from` during ERC20 withdrawals)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.