Incorrectly assumes that WETH is always the last token in the pool which leads to bad LP pricing

[hats-bug-reporter[bot]]

Github username: -- Submission hash (on-chain): 0x62cc334af466f49fe56fae315b6cdd3b20b58c6c06368ce67cb493613f04f133 Severity: high

Description: Description\ _postTreatmentAndVerifyEth() assumes that WETH is always the last token in the pool. This is incorrect for a majority of tricrypto pools and will lead to LP being highly overvalued.

Attack Scenario\ When calculating LP prices, _postTreatmentAndVerifyEth() always assumes that WETH is the second token in the pool. This isn't the case which will cause the LP to be massively overvalued.

There are 6 tricrypto pools currently deployed on mainnet. Half of these pools have an asset other than WETH as token[2]:

    0x4ebdf703948ddcea3b11f675b4d1fba9d2414a14 - CRV
    0x5426178799ee0a0181a89b4f57efddfab49941ec - INV
    0x2889302a794da87fbf1d6db415c1492194663d13 - wstETH

The function _postTreatmentAndVerifyEth()is calling _getOracleAndAggregatorPrices(WETH); but using WETH which will cause issue

Impact LP will be massively overvalued leading to overborrowing and protocol insolvency

[0xR3vert]

Hello, Thanks a lot for your attention. In the majority of the tricryptopool that we will use, the first asset is always a stable, so ETH will be the second or third asset. Other pools will not be used for this. It's considered as a misconfiguration on our part and by extension it's Out Of Scope. In conclusion we have so to consider this issue as invalid.