Consequences: in case the owner gets compromised on one chain, this can result in funds being exploitable on other chains by enrolling malicious tokens.
Consider enrolling a custom token in a time lock manner where you enroll a new token and wait X amount of days until it becomes available.
In this way there can be alerts in place that listen on chain for unauthorized enrolls in case the owner gets compromised.
Lines of code
https://github.com/code-423n4/2022-06-connext/blob/4dd6149748b635f95460d4c3924c7e3fb6716967/contracts/contracts/core/connext/helpers/TokenRegistry.sol#L141
Vulnerability details
Issue: enrollCustom() is too permissive.
Consequences: in case the owner gets compromised on one chain, this can result in funds being exploitable on other chains by enrolling malicious tokens.
Affected Code
Mitigations
Consider enrolling a custom token in a time lock manner where you enroll a new token and wait X amount of days until it becomes available. In this way there can be alerts in place that listen on chain for unauthorized enrolls in case the owner gets compromised.