Vulnerability in Token Withdrawal Function

2023-11-1000:00:00

Code4rena

github.com

vulnerability

token withdrawal

flawed logic

high-value tokens

unfair distribution

single-token

validation logic

mitigation steps

token-transfer

AI Score

Confidence

Low

JSON

Lines of code

Vulnerability details

Impact

Flawed logic in token withdrawal function allows for selective withdrawal of high-value tokens and fails in single-token scenarios.

// Sum up total amount of each token to withdraw.
uint256[] memory withdrawAmounts = new uint256[](withdrawTokens.length);
{
    IERC20 prevToken;
    for (uint256 i; i &lt; withdrawTokens.length; ++i) {
        // Check if order of tokens to transfer is valid.
        // Prevent null and duplicate transfers.
        if (prevToken &gt;= withdrawTokens[i]) revert InvalidTokenOrderError();
        ...
    }
}

Specific Concerns:

Selective High-Value Withdrawals: Users can exploit the function to repeatedly withdraw only high-value tokens, which could lead to unfair distribution.

Single-Token Scenario Failure: In cases where only one type of reward token is present, the function’s validation logic (if (prevToken >= withdrawTokens[i])) incorrectly prevents successful execution.

#Proof of Concept

Tools Used

manual

Recommended Mitigation Steps

Implement a mechanism to ensure fair and equitable withdrawal of tokens, possibly by randomizing the order or enforcing a proportional withdrawal across all token types.
Adjust the validation logic to accommodate scenarios with a single token type. This could involve modifying or bypassing the order check when only one token type is present.

Assessed type

Token-Transfer

The text was updated successfully, but these errors were encountered:

All reactions

AI Score

Confidence

Low

JSON