//Return any leftover vault token dust to the user
for (uint256 i; i < tokenLength; i++) {
address _token = tokens[i];
TransferHelper.safeTransfer(
_token,
user,
_getTokenBalance(_token, address(this))
);
}
One process returns the portfolio tokens, while the other returns the deposit token. If the depositToken is a portfolioToken a balance of 0 will be returned. @aktech297
Github username: @aktech297 Twitter username: kaka Submission hash (on-chain): 0xea28aee445e21b6cb0d4ff8bc4eca4e68da44fd4bad12f19e76d56095dbd6659 Severity: medium
Description: Description\ The function multiTokenSwapAndTransfer - first refund by traversing the array of tokens.
DepositBatch.sol#L73-L81
and then refund the
_depositToken
separately.DepositBatch.sol#L85-L89
The issue here is, the array would have the
_depositToken
.So, the logic would refund the same token twcie which will break due to insufficinet balance or transfer more when the contract has extra funds.
https://github.com/hats-finance/Velvet-Capital-0x0bb0c08fd9eeaf190064f4c66f11d18182961f77/blob/aa47c9ff85bcc2bede62978c3895668b549da125/contracts/bundle/DepositBatch.sol#L51-L65