This repository has been archived by the owner on May 26, 2023. It is now read-only.
cccz - AssetManager.withdraw may not withdraw the correct amount of tokens #98
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
cccz
medium
AssetManager.withdraw may not withdraw the correct amount of tokens
Summary
AssetManager.withdraw will return true when the number of tokens withdrawn is insufficient
Vulnerability Detail
UserManager.unstake will call AssetManager.withdraw to withdraw tokens.
But in the AssetManager.withdraw function, it will return true even if the number of tokens withdrawn is insufficient.
Consider an extreme case where the admin removes support for a token via AssetManager.removeToken. The user calls UserManager.unstake to withdraw tokens, and AssetManager.withdraw will call _checkSenderBalance to check whether the balance is sufficient. Since the caller is not a UToken, it will check
balances[sender][tokenAddress] >= amount, but these tokens may have been deposited into the adapter, resulting in the actual amount of tokens withdrawn is less thanamount, but staker.stakedAmount minus the amount in UserManager.unstake.Impact
Users calling UserManager.unstake function may suffer losses.
Code Snippet
https://github.com/sherlock-audit/2022-10-union-finance/blob/main/union-v2-contracts/contracts/asset/AssetManager.sol#L328-L369
https://github.com/sherlock-audit/2022-10-union-finance/blob/main/union-v2-contracts/contracts/user/UserManager.sol#L691-L705
https://github.com/sherlock-audit/2022-10-union-finance/blob/main/union-v2-contracts/contracts/asset/AssetManager.sol#L547-L558
https://github.com/sherlock-audit/2022-10-union-finance/blob/main/union-v2-contracts/contracts/asset/AssetManager.sol#L261-L292
Tool used
Manual Review
Recommendation
Consider that in AssetManager.withdraw, return false when the number of tokens withdrawn is insufficient
Duplicate of #27
The text was updated successfully, but these errors were encountered: