Closed code423n4 closed 2 years ago
pauliax
CDS withdraw does not actually update the request amount. The request is stored in a memory pointer so changes are not persisted to the storage:
Withdrawal memory request = withdrawalReq[msg.sender]; ... //reduce requested amount request.amount -= _amount;
This means that the user can withdraw more than was initially requested.
Withdrawal storage request = withdrawalReq[msg.sender];
https://github.com/code-423n4/2022-01-insure-findings/issues/130
Handle
pauliax
Vulnerability details
Impact
CDS withdraw does not actually update the request amount. The request is stored in a memory pointer so changes are not persisted to the storage:
This means that the user can withdraw more than was initially requested.
Recommended Mitigation Steps