Unprotected (external/public) function calls sending Ether/tokens to user-controlled addresses may allow users to withdraw unauthorized funds.
(see here)
- Unprotected Withdraw Functions
- Public/External -> Withdraw ETH/Tokens
- Unauthorized Withdraws -> Loss of Funds
- Access Control -> Withdraw Functions