The contract has a potential vulnerability in the withdraw
function. The function uses the msg.sender
address to check the balance of the user, but it does not validate whether the user actually owns any Ether in the contract. This means that an attacker could call the withdraw
function with a fake or malicious address, causing the contract to send out all the Ether in the contract's balance.
The line of code that causes this vulnerability is:
(bool sent,) = msg.sender.call{value: bal}("");
To remediate this issue, you can add a check to ensure that the user actually owns some Ether in the contract before attempting to withdraw it. Here's an example of how you could modify the withdraw
function to include this check:
function withdraw() public {
uint256 bal = balances[msg.sender];