Unsupported tokens can be given fungible LP support

[code423n4]

Handle

TomFrench

Vulnerability details

Impact

VaderPoolV2.setFungibleSupport is incorrect wrt spec

Proof of Concept

VaderPoolV2.setFungibleSupport specifies that it requires that foreignAsset is already supported yet no such requirement exists

https://github.com/code-423n4/2021-11-vader/blob/607d2b9e253d59c782e921bfc2951184d3f65825/contracts/dex-v2/pool/VaderPoolV2.sol#L425-L437

Recommended Mitigation Steps

Update spec or remove stated requirement

[SamSteinGG]

The createWrapper function performs this validation.

[alcueca]

Downgraded to code clarity issue. Validation should be done on the function requiring it, and when that doesn't happen it should be clearly documented.