Platform: Code4rena
Start Date: 03/02/2022
Pot Size: $75,000 USDC
Total HM: 42
Participants: 52
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 21
Id: 83
League: ETH
Rank: 51/52
Findings: 1
Award: $31.07
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: mtz
Also found by: 0x1f8b, Czar102, GalloDaSballo, GeekyLumberjack, Randyyy, Rhynorater, Ruhum, ShadowyNoobDev, bitbopper, cccz, cmichel, csanuragjain, danb, gzeon, hickuphh3, hyh, leastwood
31.0722 USDC - $31.07
https://github.com/code-423n4/2022-02-concur/blob/main/contracts/Shelter.sol#L52-L59 https://github.com/code-423n4/2022-02-concur/commit/229b6188a2c5867f2d0cb4579d0a0d49516da252
withdraw() in Shelter.sol can be called multiple times by the same party. Eventually based on the users shareOf this would lead to complete drain of funds in Shelter.sol.
This requires that both msg.sender and _to addresses have funds that are now in the shelter. This would only be done in the case of emergency as said in the code4rena discord. An example of using the shelter was provided here.
withdraw and receives 100 tokens.withdraw 9 more times and receives all 1000 tokens that were in the shelterThis happens because claimed[_token][_to] = true; is set but not checked
Manual Analysis
Add a require statement to check if the address has claimed their tokens already.
require(claimed[_token][_to] == false, "already claimed")
#0 - r2moon
2022-02-18T03:11:22Z