`StableSwapThreePoolDeployer.createSwapPair` lacks of parameter validating

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0x1a888657129021902f001539b564f2eacd4daaf9e8401c87b31e6812b6c41dad Severity: low

Description: Description\ In StableSwapThreePoolDeployer.createSwapPair, only _tokenA and _tokenB are checked in StableSwapThreePoolDeployer.sol#L65, _tokenC is not validated.

 55     function createSwapPair(
 56         address _tokenA,
 57         address _tokenB,
 58         address _tokenC,
 59         uint256 _A,
 60         uint256 _fee,
 61         uint256 _admin_fee,
 62         address _admin,
 63         address _LP
 64     ) external onlyOwner whenNotPaused returns (address) {
 65         require(_tokenA != address(0) && _tokenB != address(0) && _tokenA != _tokenB, "Illegal token"); <<<--- _tokenC is not checked here
 66         (address t0, address t1, address t2) = sortTokens(_tokenA, _tokenB, _tokenC);
 67         address[N_COINS] memory coins = [t0, t1, t2];
 68         // create swap contract
 69         bytes memory bytecode = type(StableSwapThreePool).creationCode;
 70         bytes32 salt = keccak256(abi.encodePacked(t0, t1, t2, msg.sender, block.timestamp, block.chainid));
 71         address swapContract;
 72         assembly {
 73             swapContract := create2(0, add(bytecode, 32), mload(bytecode), salt)
 74         }
 75         StableSwapThreePool(swapContract).initialize(coins, _A, _fee, _admin_fee, _admin, _LP);
 76 
 77         return swapContract;
 78     }

Attack Scenario\ Describe how the vulnerability can be exploited.

Attachments

1. Proof of Concept (PoC) File

2. Revised Code File (Optional)

[Ghoulouis]

The addresses were previously checked at contact StableSwapFactory in createThreePoolPair()