gajiknownnothing - The ability to add or remove payment tokens does not align with the requirement

[sherlock-admin3]

gajiknownnothing

medium

The ability to add or remove payment tokens does not align with the requirement

Summary

The current implementation of Midas vault contracts allows the vault admin to add or remove payment tokens through ManageableVault::addPaymentToken and ManageableVault::removePaymentToken functions. This capability is inconsistent with the project's statement that "Only USDC and mTBILL will be used".

Vulnerability Detail

The contract allows the vault admin to support multiple payment tokens, such as USDC and USDT, as valid payment tokens in the future. This flexibility introduces the risk of users exploiting potential price discrepancies between supported tokens during depeg events.

For instance, if USDC experiences a depeg event similar to the past incident where its value dropped to $0.74, news link, users could deposit USDC into the vault and redeem the equivalent amount in USDT, effectively profiting from the price difference.

Impact

Inconsistent contract implementation.

Code Snippet

https://github.com/sherlock-audit/2024-05-midas/blob/a4a3cc23bb891913ce44665a4cdea9f5c1190f6c/midas-contracts/contracts/abstract/ManageableVault.sol#L106

https://github.com/sherlock-audit/2024-05-midas/blob/a4a3cc23bb891913ce44665a4cdea9f5c1190f6c/midas-contracts/contracts/abstract/ManageableVault.sol#L115

Tool used

Manual Review

Recommendation

• Remove the ManageableVault::addPaymentToken and ManageableVault::removePaymentToken functionalities.
• Initiated the payment token address with a single payment token in the contract constructor.