This function takes cTokens array as parameter and individual tokens are added to market. However the token is not checked for validity. Meaning code does not check if the token is really a toekn or contract or user.
Caller can pass user address and enter the market.
See below test to replicate the issue.
https://github.com/code-423n4/2022-04-dualityfocus/blob/main/contracts/compound_rari_fork/Comptroller.sol#L115
This function takes cTokens array as parameter and individual tokens are added to market. However the token is not checked for validity. Meaning code does not check if the token is really a toekn or contract or user. Caller can pass user address and enter the market. See below test to replicate the issue.
await this.comptroller .connect(this.user1) .enterMarkets([this.zETH.address, this.user2.address, this.user2.address]);