The fix will not work in case of multiple addresses base tokens

[code423n4]

Lines of code

https://github.com/outdoteth/caviar-private-pools/blob/main/src/PrivatePool.sol#L472

Vulnerability details

Impact

Applied fix will not work in case if base token is multiple address token.

Proof of Concept

In case if multiple address token is used by pool's owner, then added check is not enough to restrict owner of pool from stealing user's funds using another token address.

The reason why i believe this is valid finding is because this report that was accepted as valid is also using non standard erc20 token. Because such tokens are very rare, i think it's medium severity.

Tools Used

VsCode

Recommended Mitigation Steps

I don't know how to handle this correctly. Maybe factory can have whitelisted base tokens that are allowed.

Assessed type

Invalid Validation

[outdoteth]

duplicate of https://github.com/code-423n4/2023-05-caviar-mitigation-contest-findings/issues/16

[c4-sponsor]

outdoteth requested judge review

[c4-judge]

GalloDaSballo changed the severity to QA (Quality Assurance)

[GalloDaSballo]

Downgrading to QA because of low likelyhood, as well as the fact that the new owner could do due diligence to prevent that

[c4-judge]

GalloDaSballo marked the issue as grade-c

[GalloDaSballo]

Would rate as Low Severity, closing for awarding