There is no validation inside setProviders to check if the new providers array contains all of the current active debt positions of the vault.
If any active debt positions are missed, the vault will underestimate the total assets exposing the vault until it is corrected.
Remediation to consider
Since access to this function is limited to admins through timelock, we can expect them to behave always in protocol interest; however, consider adding a check to ensure none of the current active debt position providers are missed on the smart contract level to remove this exposure completely.
Description
There is no validation inside
setProviders
to check if the newproviders
array contains all of the current active debt positions of the vault.If any active debt positions are missed, the vault will underestimate the total assets exposing the vault until it is corrected.
Remediation to consider
Since access to this function is limited to admins through timelock, we can expect them to behave always in protocol interest; however, consider adding a check to ensure none of the current active debt position providers are missed on the smart contract level to remove this exposure completely.