If token whitelisting is disabled, portfolio manager can DoS all deposits and withdraws

[hats-bug-reporter[bot]]

Github username: @@deadrosesxyz Twitter username: @deadrosesxyz Submission hash (on-chain): 0xaf2662265726b5378e62144fed3c6a396e97a611f5c9383a9a69a75b6d0339f1 Severity: medium

Description: Description\ If token whitelisting is disabled, portfolio manager can DoS all deposits and withdraws

Attack Scenario\ If token whitelist is not enabled, portfolio manager can add any token. This would allow them to add a custom non-transferrable token. Since on each deposit/withdraw all tokens must be transferred, this would cause a DoS to all user funds within the contract.

Attachments

1. Proof of Concept (PoC) File

2. Revised Code File (Optional)

[langnavina97]

We are aware of this risk, which is why we have implemented the whitelisting option. By enabling token whitelisting, we ensure that only approved tokens can be added to the portfolio, preventing the addition of any non-transferrable or malicious tokens. This measure protects the integrity of deposits and withdrawals, safeguarding user funds from potential DoS attacks.

@deadrosesxyz