Closed code423n4 closed 2 years ago
require(vaults[_token] == address(0), "!_token")
already checks for duplicated tokens.
I think this is a valid issue. Effectively a duplicate of https://github.com/code-423n4/2021-09-yaxis-findings/issues/3
The check require(vaults[_token] == address(0), "!_token")
did not exist when the contracts were part of the contest.
I would also change the severity to high risk, just like in the duplicated issue.
My bad, I missed that the check was added after the contest ended.
Duplicate of #3
Handle
0xRajeev
Vulnerability details
Impact
addToken does not check for token being added a duplicate of what was already added. If a duplicate token is added, removeToken only removes the first matching token and the later duplicates still remain. With the vault[token] deleted, this may lead to undefined behavior.
Proof of Concept
https://github.com/code-423n4/2021-09-yaxis/blob/cf7d9448e70b5c1163a1773adb4709d9d6ad6c99/contracts/v3/Manager.sol#L420-L436
https://github.com/code-423n4/2021-09-yaxis/blob/cf7d9448e70b5c1163a1773adb4709d9d6ad6c99/contracts/v3/Manager.sol#L462-L490
Tools Used
Manual Analysis
Recommended Mitigation Steps
Check for duplicate token being added and do not add such duplicates.