Tokens not owned by an account can be added as an asset to the account
Summary
In the controllers RewardRouterController, RewardRouterV2Controller and DNGMXVaultController the function canCall can return in tokenIn a token address that has actually not been received by the account. If the account did not have the token before, than the token is added to the asset list of the account even if the account does not hold the token at all.
Vulnerability Detail
in RewardRouterController: in canCallCompound(), WETH is added to tokensIn but no tokens are sent to the account as a result of the call to the Reward Router's function compound()
in RewardRouterV2Controller: in canCallRedeem() the token redeemed is added to tokensIn, but the router's function unstakeAndRedeemGlp() allows to send the tokens to a 3rd party receiver instead of the caller. In such a case, nop tokens are sent to the account.
in DNGMXVaultController: in canWithdraw() the token redeemed is added to tokensIn, but the DN GMX vault's functions redeemToken() and withdrawToken() allow to send the tokens to a 3rd party receiver instead of the caller. In such a case, nop tokens are sent to the account.
Impact
There can be tokens in the list of assets of an account that the account doesn't actually hold. Note that this does not pose any issues for the calculation of collateral.
Bahurum
low
Tokens not owned by an account can be added as an asset to the account
Summary
In the controllers
RewardRouterController,RewardRouterV2ControllerandDNGMXVaultControllerthe functioncanCallcan return intokenIna token address that has actually not been received by the account. If the account did not have the token before, than the token is added to the asset list of the account even if the account does not hold the token at all.Vulnerability Detail
RewardRouterController: incanCallCompound(),WETHis added totokensInbut no tokens are sent to the account as a result of the call to the Reward Router's functioncompound()RewardRouterV2Controller: incanCallRedeem()the token redeemed is added totokensIn, but the router's functionunstakeAndRedeemGlp()allows to send the tokens to a 3rd party receiver instead of the caller. In such a case, nop tokens are sent to the account.DNGMXVaultController: incanWithdraw()the token redeemed is added totokensIn, but the DN GMX vault's functionsredeemToken()andwithdrawToken()allow to send the tokens to a 3rd party receiver instead of the caller. In such a case, nop tokens are sent to the account.Impact
There can be tokens in the list of assets of an account that the account doesn't actually hold. Note that this does not pose any issues for the calculation of collateral.
Code Snippet
https://github.com/sherlock-audit/2023-01-sentiment/blob/main/controller-55/src/gmx/RewardRouterController.sol#L67
https://github.com/sherlock-audit/2023-01-sentiment/blob/main/controller-55/src/gmx/RewardRouterV2Controller.sol#L88
https://github.com/sherlock-audit/2023-01-sentiment/blob/main/controller-55/src/gmx/RewardRouterV2Controller.sol#L88
Tool used
Manual Review
Recommendation
No particular reccommendation.