Root + Impact

REENTRANCY RISK IN WITHRAW FUNCTION

Description
An attacker (participant) can call the withdraw function multiple times before the contract balance is updated. This allows them to drain the entire vault, resulting in a complete loss of all user funds** and **total breakdown of the contract logic.

RISK LIKELIHOOD

An attacker can repeatedly call withdraw() before their balance is reduced. This allows them to steal the entire contract balance, when won a small portion of the funds.

REFERENCE FILES

Withdraw function.

Proof of Concept

1.A user deposits tokens and bets on a team.
2.The attacker calls withdraw() repeatedly in a single transaction.
3. Each call sends funds, but the balance is only reduced after all calls complete.
4.The attacker drains the full contract balance — far more than their share.

Recommended Mitigation

Restrict the withdraw function so a user can only call it **once per tournament.

Or, use the checks-effects-interactions pattern: update the user’s balance before sending funds.