Issue seems to be resolved, furnace.melt() is now called whenever an RToken is involved, regardless of the last refresh.
It seems that it’s possible to send a list with duplicate entries, but that doesn’t seem to have any harmful effect, and the function would probably revert (due to having zero balance at the second entry, or due to trying to open multiple trades on the same asset).
It might be a good idea to check for duplicates just to be sure.
It might be better to skip assets with zero balance or with an open trade rather than revert, since there might be cases where another user started a trade for that asset in the meanwhile.
Lines of code
Vulnerability details
Issue seems to be resolved,
furnace.melt()
is now called whenever an RToken is involved, regardless of the last refresh. It seems that it’s possible to send a list with duplicate entries, but that doesn’t seem to have any harmful effect, and the function would probably revert (due to having zero balance at the second entry, or due to trying to open multiple trades on the same asset). It might be a good idea to check for duplicates just to be sure. It might be better to skip assets with zero balance or with an open trade rather than revert, since there might be cases where another user started a trade for that asset in the meanwhile.