The withdraw function does not check that the authority has signed. Now, can you exploit this?
withdraw
authority