Category: Coding Mistakes
Withdrawal does not send tokens
Critical Severity
Critical Impact
High Likelihood
Description
The function responsible for withdrawing $RUJI from the protocol does not add a message sending the tokens to the user withdrawing.
#[cfg_attr(not(feature = "library"), entry_point)]
pub fn execute(...)
...
ExecuteMsg::Withdraw { share_amount } => {
nonpayable(&info)?;
let amount = execute_withdraw(deps.storage, &config, time, &info.sender, share_amount)?;
Ok(Response::default().add_event(
Event::new("merge/withdraw")
.add_attribute("account", info.sender)
.add_attribute("shares", share_amount)
.add_attribute("amount", amount),
))
}
...
}
Impact
Users will not get their funds.
Recommendations
Add the relevant logic to send $RUJI to users withdrawing.
Remediation
Ruji Holdings remediated this issue in commit 86990dc0↗ by editing the relevant logic which adds BankMsg::Send
to the response.