Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-03-Li.finance/blob/main/src/Facets/WithdrawFacet.sol#L20
admin can steal all user funds
The contract does not hold any user funds. The withdraw function is only added to withdraw funds to the users that accidentally ended up in the contract.
Duplicate of https://github.com/code-423n4/2022-03-lifinance-findings/issues/65
Lines of code
https://github.com/code-423n4/2022-03-Li.finance/blob/main/src/Facets/WithdrawFacet.sol#L20
Vulnerability details
admin can steal all user funds