Lack of check on tokens with multiple entrances still makes it for arbitrage bot to gain profits

[c4-bot-6]

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/pools/PoolUtils.sol#L32-L39 https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/arbitrage/ArbitrageSearch.sol#L31-L58

Vulnerability details

Impact

There are some Tokens with multiple entry points like TUSD, etc. The contract doesn't check if the token has multiple addresses when whitelisting pools or tokens. As a result, pools with different poolIDs could be created, but they actually point to the same token pair. As a result, swapping on one pool still leaves profits for arbitrage bots, which is not quite consistent with the description "Automatic Arbitrage" of the SALTY DEX.

Proof of Concept

Consider the following scenario.

1. Token has two addresses addrA and addrB. And they are all whitelisted and pools are created. Let's say both token prices are 10 USDT.
2. User buys the token addrA with USDT, thus the WETH-addrA-USDT-WETH arbitrage path is triggered. After the arbitrage, the token price of addrA is 12 USDT.
3. Arbitrage bot could sell tokens at addrA-USDT and buy at addrB-USDT. Thus it can still make profits which should also be considered in auto-arbitrage.

Tools Used

Manual

Recommended Mitigation Steps

1. Add a check/flag if the token has multiple addresses or not.
2. When a swap is made and a token has multiple addresses, the arbitrage across different addresses should also be taken into account.

Assessed type

ERC20

[c4-judge]

Picodes marked the issue as unsatisfactory: Insufficient proof

[Picodes]

Unclear. How can a token have 2 addresses?