Description

The createVault() accepts an array of farm descriptors (IDexFiVault.Farm[] farms_) but never verifies that each farm is present in _farmsWhitelist. Although DexFiVault.initialize() eventually rechecks the list via DexFiVaultHelper.processFarm, the factory still 1) exposes users to a future implementation upgrade where the vault-side check might be removed and 2) deploys a BeaconProxy (wasting gas) before the revert occurs.

Impact

An attacker can supply a malicious farm contract that gains control over the vault’s funds the moment any downstream developer drops or weakens the vault-side validation.

Recommendations

Add explicit allowlist validation in createVault() before the proxy is deployed:

for (uint256 i; i < farms_.length; ++i) {
    require(
        _farmsWhitelist.contains(farms_[i].beacon),
        "FARM_NOT_WHITELISTED"
    );
}

This keeps the factory itself the single source of truth, saves users deployment gas on invalid inputs, and prevents bugs introduced by future vault upgrades.

Remediation

This issue has been acknowledged by DexFi, and a fix was implemented in commit abb42b53↗.