search

sherlock-audit / 2024-08-winnables-raffles-judging

6 stars 2 forks source link

Raspy Spruce Parrot - Admins cannot partially withdraw tokens from `WinnablesTicketManager` #638

Closed sherlock-admin4 closed 3 months ago

sherlock-admin4 commented 3 months ago

Raspy Spruce Parrot

Low/Info

Admins cannot partially withdraw tokens from WinnablesTicketManager

Summary

Incorrect check will prevent Admin from withdrawing less than his balance of tokens.

Root Cause

In withdrawTokens() we revert if the current balance is bigger than the amount to be withdrawn, which is incorrect, because we might want to withdraw less than the current balance.

Internal pre-conditions

External pre-conditions

No response

Attack Path

No response

Impact

The impact is that the admin will not be able to withdraw the amount specified unless he selects the whole balance.

PoC

No response

Mitigation

function withdrawTokens(address tokenAddress, uint256 amount) external onlyRole(0) {
        IERC20 token = IERC20(tokenAddress);
        uint256 balance = token.balanceOf(address(this));
-       if (amount < balance) revert InsufficientBalance(); 
+       if (amount > balance) revert InsufficientBalance();
        token.safeTransfer(msg.sender, amount);
    }
sherlock-admin2 commented 3 months ago

The protocol team fixed this issue in the following PRs/commits: https://github.com/Winnables/public-contracts/pull/6