`PanopticPool` can be initialized with wrong data

[c4-bot-2]

Lines of code

https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/PanopticPool.sol#L291

Vulnerability details

Users can initialize PanopticPool with incorrect data. If user initializes PanopticPool using PanopticFactory no troubles would occur, however, if user wants to use PanopticPool separately, he/she can call PanopticPool.startPool() with any data that they want resulting to params _univ3pool, token0, token1, collateralTracker0, collateralTracker1 being not related at all. If user then wants to call any major functions they would revert as pool was initialized wrongly.

Impact

Wrongly initialized PanopticPool is invalid and can not be used as all main functions would revert.

Recommended Mitigation Steps

Add additional checks to ensure that PanopticPool is initialized correctly.

@@ -301,6 +301,11 @@ contract PanopticPool is ERC1155Holder, Multicall {
         // Store the univ3Pool variable
         s_univ3pool = IUniswapV3Pool(_univ3pool);

+        require(token0 == _univ3pool.token0());
+        require(token1 == _univ3pool.token1());
+        require(token0 == collateralTracker0.asset());
+        require(token1 == collateralTracker1.asset());
+
         (, int24 currentTick, , , , , ) = IUniswapV3Pool(_univ3pool).slot0();

Assessed type

Invalid Validation

[c4-judge]

Picodes marked the issue as unsatisfactory: Invalid