`IndexPoolFactory` does not sort tokens

[code423n4]

Handle

cmichel

Vulnerability details

The IndexPoolFactory.deployPool function decodes the _deployData to receive the tokens. However, it does not sort these tokens.

The comment in IndexPool indicates that they expect these tokens to be sorted, however:

"// @dev Factory ensures that the tokens are sorted." - IndexPool.constructor

Impact

This leads to being able to create the same pool with the exact same parameters several times due to different sort order leading to a different salt. This fragments liquidity across several pools that are exactly the same and makes it hard for the frontend/smart contracts to decide on a single canonical pool.

Recommended Mitigation Steps

Sort the tokens and re-encode the deployData with the sorted tokens.

[maxsam4]

https://github.com/sushiswap/trident/blob/9130b10efaf9c653d74dc7a65bde788ec4b354b5/contracts/pool/PoolDeployer.sol#L35

Sorting is ensured.

[alcueca]

The check is sufficient to prevent the scenario described.

[loudoguno]

replacing severity label with invalid as per judges findings sheet