VaderPoolV2 owner can steal all user assets which are approved VaderPoolV2

[code423n4]

Handle

TomFrenchBlockchain

Vulnerability details

Impact

Possible theft of all user assets with an ERC20 approval on VaderPoolV2

Proof of Concept

The owner of VaderPoolV2 can call the setTokenSupport function which allows the caller to supply any address from which to take the assets to provide the initial liquidity, the owner can also specify who shall receive the resulting LP NFT and so can take ownership over these assets. This call will succeed for any address which has an ERC20 approval on VaderPoolV2 for USDV and foreignAsset.

https://github.com/code-423n4/2021-12-vader/blob/00ed84015d4116da2f9db0c68db6742c89e73f65/contracts/dex-v2/pool/VaderPoolV2.sol#L442-L474

This in effect gives custody over all assets in user wallets which are approved on VaderPoolV2 to Vader Protocol governance. This is especially problematic in the case of Vader Protocol as there's a single entity (i.e. the Council) which can force through a proposal to steal these assets for themselves with only the timelock giving protection to users, for this reason I give this high severity.

Recommended Mitigation Steps

Enforce that the initial liquidity is provided by the VaderPoolV2 owner.