Multiple address tokens could be used to bypass the token duplication check

[hats-bug-reporter[bot]]

Github username: @PlamenTSV Twitter username: @p_tsanev Submission hash (on-chain): 0x9a1cdc0e82868e8d00be35a07ff317e3896f7fe576e9cc63b3dd93363c7f5ae0 Severity: low

Description: Description\ The createCampaigns() takes an array of bundles, basing how the campaign should be created. When reviewing and setting up the reward tokens we have the explicit check: if (_token == _bundle.rewardTokens[_k]) revert InvalidRewards() to avoid duplicate reward tokens by checking their addresses. However the rare occurance of multi-address(proxied) tokens would allow for the bypass of that check.

Attack Scenario\ To name a couple: Synthetix SNX tokens, sBTC, TUSD/TrueUSD(quite large market volume) stable coin are all tokens that can be accessed through a secondary proxied address. Essentially it is possible to have multiple occurances of the same tokens inside a campaign.

I rated it LOW due to the low market cap of such tokens and the fact this only breaks the assumption that the above check covers duplicate tokens.

Attachments

1. Proof of Concept (PoC) File

2. Revised Code File (Optional)

[luzzif]

Honestly, I don't think this would necessarily cause any issue. The duplicated token address check was mainly to avoid the situation where with 2 bundles with the same token address, only the second would be accounted for in the state of the smart contract, while the first token amount would still be taken in by the smart contract. This is basically a situation where the first bundle's funds are lost as the second bundle overrides the first in the reward mapping. But if the address is different this issue shouldn't really exist.