Portfolio manager can steal all funds at any time by removing all tokens

[hats-bug-reporter[bot]]

Github username: @@deadrosesxyz Twitter username: @deadrosesxyz Submission hash (on-chain): 0xa7a00207ca7c495f1a82b4e795912fcf5fbd1ed238a393a837707fdb19f3b348 Severity: high

Description: Description\ Portfolio manager can steal all funds at any time by removing all tokens

Attack Scenario\ At any time, portfolio manager can call updateTokenList to change the used tokens list. The problem is that this allows him to remove active tokens, forcing any user within the protocol to suffer a loss.

1. Protocol manager removes all active tokens and inputs a new one which currently has 0 balance.
2. Manager raw sends 1 wei balance.
3. Manager then deposits 1e18 of that tokens and owns realistically all of the liquidity within the portfolio
4. Manager can then re-add recently removed tokens and withdraw all funds.

Attachments

1. Proof of Concept (PoC) File

2. Revised Code File (Optional)

[aj07]

Hi @deadrosesxyz Can you please add more info around it and would be nice if you can include the PoC on it also ?

[langnavina97]

Even if the asset manager rebalances the tokens, the share of each user will still be represented by the portfolio token. The asset manager cannot arbitrarily mint additional tokens, and any changes to the token list will reflect proportionally in the portfolio tokens held by users. The system ensures that users' shares remain intact regardless of the asset manager's actions.

@deadrosesxyz