Attackers can drain all the funds from the contract.
Summary
The TokenManager:withdraw() function can be exploited by an attacker to drain all the funds from the protocol.
Vulnerability Details
The TokenManager:withdraw() function includes a whenNotPaused modifier, which prevents withdrawals when the contract is paused.
The function checks the claimable amount for the caller using the following mapping:
After retrieving the balance, the funds are transferred to the user. However, there is no update to the storage variables, meaning the user's balance is not reduced. As a result, the user can repeatedly withdraw their balance until the contract is completely drained of funds.
Impact
Draining of funds
Tools Used
Manual
Recommendations
After the withdrawal also reflect it to the state variable.
Lead Judging Commences
finding-CapitalPool-approve-missing-access-control
This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.