Pool can be drained by providing fake fromAssets tokens by calling the localSwap function

[hats-bug-reporter[bot]]

Github username: @ololade97 Twitter username: 97Sabit Submission hash (on-chain): 0x95c1d4818f21bfe050a814e412cfd4185f4e0fcb30bb2a18a44f152ec2c80360 Severity: high

Description: Description\ In the depositMixed function, it doesn't check the types of tokens being deposited by a user. An attacker can deposit fake tokens into the contract.

Then, call the localSwap function. The fake token deposited would be passed as the fromAsset address. And the assetTo would be the real asset address in the contract.

This allows an attacker to exchange fake tokens for real tokens.

1. Proof of Concept (PoC) File

https://github.com/catalystdao/catalyst/blob/27b4d0a2bca177aff00def8cd745623bfbf7cb6b/evm/src/CatalystVaultAmplified.sol#L807-L846

https://github.com/catalystdao/catalyst/blob/27b4d0a2bca177aff00def8cd745623bfbf7cb6b/evm/src/CatalystVaultAmplified.sol#L290

2. Revised Code File (Optional)

[reednaa]

It will eventually hit: https://github.com/hats-finance/Catalyst-Exchange-0x3026c1ea29bf1280f99b41934b2cb65d053c9db4/blob/fba322fab023a9206183fb455e9f86facd550d8a/evm/src/CatalystVaultAmplified.sol#L267

where: https://github.com/hats-finance/Catalyst-Exchange-0x3026c1ea29bf1280f99b41934b2cb65d053c9db4/blob/fba322fab023a9206183fb455e9f86facd550d8a/evm/src/IntegralsAmplified.sol#L30-L34

And https://github.com/hats-finance/Catalyst-Exchange-0x3026c1ea29bf1280f99b41934b2cb65d053c9db4/blob/fba322fab023a9206183fb455e9f86facd550d8a/evm/src/IntegralsAmplified.sol#L73-L80

Will revert if the token is either to or from a token not part of the contract.

See https://github.com/hats-finance/Catalyst-Exchange-0x3026c1ea29bf1280f99b41934b2cb65d053c9db4/issues/29 for a similar bug.