WithdrawHook#userWithdrawLimitPerPeriod Limit max withdraw logic error #160
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-310
satisfactory
satisfies C4 submission criteria; eligible for awards
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/WithdrawHook.sol#L66-L72
Vulnerability details
Impact
The maximum withdrawal value per Period for the user may be much smaller than userWithdrawLimitPerPeriod
Proof of Concept
WithdrawHook#hook() will limit the user's maximum withdrawal per Period. The logic is: when a new Period , the new Period starts counting from 0.
But there is a logic error that causes this: only the first user of the Period is recalculated, the other users are not recalculated, and the new Period follows the userToAmountWithdrawnThisPeriod[_sender] of the previous cycle
lastUserPeriodReset needs to be changed to mapping(address => uint256), independent for each user
Tools Used
Recommended Mitigation Steps
lastUserPeriodReset needs to be changed to mapping(address => uint256), independent for each user
The text was updated successfully, but these errors were encountered: