Overwriting of Pending Withdrawals in Funding.sol

Summary

The funding contract allows a user to override their pending withdrawals by making a new withdrawal request. If a user sends a second withdrawal request before the withdrawExecutionTimestamp of the first request, the initial withdrawal request is overwritten, and the user does not receive the funds from the first withdrawal.

Vulnerability Detail

The vulnerability arises in the requestWithdraw function:

function requestWithdraw(
        Types.State storage state,
        uint256 primaryAmount,
        uint256 secondaryAmount
    ) external {
        state.pendingPrimaryWithdraw[msg.sender] = primaryAmount;
        state.pendingSecondaryWithdraw[msg.sender] = secondaryAmount;
        state.withdrawExecutionTimestamp[msg.sender] =
            block.timestamp +
            state.withdrawTimeLock;
        emit RequestWithdraw(
            msg.sender,
            primaryAmount,
            secondaryAmount,
            state.withdrawExecutionTimestamp[msg.sender]
        );
    }

The requestWithdraw function directly assigns the requested withdrawal amounts to the pendingPrimaryWithdraw and pendingSecondaryWithdraw maps associated with the user's address. It does not check for existing pending withdrawals. This results in any previous withdrawal requests being overwritten if they have not yet been executed.

Impact

Users may potentially lose funds. If a user sends a second withdrawal request before the withdrawExecutionTimestamp of the first request, the initial withdrawal request is overwritten, and the user does not receive the funds from the first withdrawal.

Code Snippet

https://github.com/sherlock-audit/2023-04-jojo/blob/main/smart-contract-EVM/contracts/lib/Funding.sol#L84-L100

Tool used

Manual Review

Recommendation

re write withdraw function

sherlock-audit / 2023-04-jojo-judging

0xPkhatri - Overwriting of Pending Withdrawals in Funding.sol #482