`addManagedNFT()` - Due to how the adding of new NFT contract instances works, can add same LI NFT contract address more than once to the `ManagedNFTs` array.

[c4-bot-2]

Lines of code

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/3adc34600561077ad4834ee9621060afd9026f06/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L347-L353

Vulnerability details

There are no checks to ensure same LI NFT contract cannot be added more than once:

    function addManagedNFT(address nftContract) public onlyOwner { 
        LiquidInfrastructureNFT nft = LiquidInfrastructureNFT(nftContract);
        address nftOwner = nft.ownerOf(nft.AccountId());
        require(nftOwner == address(this), "this contract does not own the new ManagedNFT");
        ManagedNFTs.push(nftContract); 
        emit AddManagedNFT(nftContract);
    }

Impact:

• withdrawFromManagedNFTs() will revert due to zero balance in NFT contract at second withdrawal attempt from same LI NFT contract address, due to balance being less than amount to withdraw.

Recommendation:

• Add a check to addManagedNFT() to check if already added.
• use a for loop to cycle through the ManagedNFTs array to check for array entry with address == the new nftContract address.
• add this for loop above the ManagedNFTs.push(nftContract); line, L351.

Assessed type

Invalid Validation

[c4-pre-sort]

0xRobocop marked the issue as duplicate of #149

[c4-judge]

0xA5DF marked the issue as unsatisfactory: Overinflated severity