Same multiple values in source result in wrong withdrawl

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-ens/blob/main/contracts/ERC20MultiDelegate.sol#L65-L116

Vulnerability details

Impact

Detailed description of the impact of this finding.

If by mistake same delegate value is given multiple times to sources array then withdrawal is affected

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

In test related to "Should be able to withdraw fully" if same values given to source array like here bob is given 3 times then withdraw test is reverting.

  describe('withdraw', () => {
  it('should be able to withdraw fully', async () => {
  const delegatorTokenAmount = await token.balanceOf(deployer);
  // const customAmount = ethers.utils.parseEther('10000000.0'); // ens

  // give allowance to multi delegate contract
  await token.approve(multiDelegate.address, delegatorTokenAmount);
  // delegate multiple delegates
  const delegates = [bob, bob, bob];
  const amounts = delegates.map(() =>
    delegatorTokenAmount.div(delegates.length)
  );

  await multiDelegate.delegateMulti([], delegates, amounts);

  const delegatorTokenAmountAfterDeposit = await token.balanceOf(deployer);
  expect(delegatorTokenAmountAfterDeposit.toString()).to.equal('0');

  await multiDelegate.delegateMulti(delegates, [], amounts);

  const delegatorTokenAmountAfterWithdraw = await token.balanceOf(deployer);
  expect(delegatorTokenAmountAfterWithdraw.toString()).to.equal(
    delegatorTokenAmount.toString()
  );
});

Tools Used

Manually

Recommended Mitigation Steps

Apply check to avoid same multiple values in sources.

Assessed type

Error

[c4-pre-sort]

141345 marked the issue as primary issue

[c4-pre-sort]

141345 marked the issue as duplicate of #617

[c4-pre-sort]

141345 marked the issue as sufficient quality report

[c4-judge]

hansfriese marked the issue as unsatisfactory: Invalid