Left-over tokens can be stolen

[code423n4]

Handle

cmichel

Vulnerability details

This is probably what is meant by:

"rescueTokens and rescueTokensFromExecutioner can be gamed however it is not a concern. They are in place "just in case" and should not be used in the first place."

However, this approach does not even call rescueTokens and rescueTokensFromExecutioner, so I thought I'd mention it just in case.

There are several ways how tokens can end up in the Executioner:

• wrong user input
• several trades and not using tradeAll which will leave dust

These left-over tokens can be stolen by a backrunner that does not provide tokens themselves (fromAmount = 0) but still trades these tokens using the encodedCalldata and receives the swap output.

Impact

Tokens that end up in the contract after a series of misconfigured trades can be stolen by anyone.

Recommended Mitigation Steps

This is rather cumbersome to completely prevent with the current opaque encodedCalldata and not knowing which tokens are touched.

[tommyz7]

This is true, however, as stated in the contest readme, it's not a concern.