Fast Khaki Raccoon
Medium
PodUnwrapLocker::_withdraw would brick all user funds if he gets blacklisted for only 1 of the tokens
If a user gets blackliste for one of the tokens this for would revert resulting in his funds being stuck.
function _withdraw(address _user, uint256 _lockId) internal {
LockInfo storage _lock = locks[_lockId];
require(_lock.user == _user, "W1");
require(!_lock.withdrawn, "W2");
require(block.timestamp >= _lock.unlockTime, "W3");
_lock.withdrawn = true;
for (uint256 i = 0; i < _lock.tokens.length; i++) {
if (_lock.amounts[i] > 0) {
//@audit if a user gets balcklisted for one of the tokens this reverts
IERC20(_lock.tokens[i]).safeTransfer(_user, _lock.amounts[i]);
}
}
emit TokensWithdrawn(_lockId, _user, _lock.tokens, _lock.amounts);
}Using a loop to distribute different tokens.
No response
No response
- Bond is 10% USDT, 10% USDC 40% WETH 40% WBTC
- User gets blacklisted for USDT
- His bond is worth 100k
- All of these assets would remain stuck inside the contract
All of our user assets would get stuck inside the contract if he gets blacklisted for 1 of the tokens
No response
User pull instead of push. Make sure the user claims his tokens 1 by 1.