Description

Within the InfiniCardController contract, the addStrategy function serves a dual purpose; it adds the specified strategy to the strategy whitelist and simultaneously includes the associated underlying token address in the token whitelist. This design ensures that only approved strategies and their corresponding tokens are recognized and utilized by the vault.

function addStrategy(address strategy) onlyRole(ADMIN_ROLE) external {
    strategyWhiteList[strategy] = true;
    _addToken(IStrategyVault(strategy).underlyingToken());
}

However, the removeStrategy function currently only removes the specified strategy from the strategy whitelist without addressing the underlying tokens. Given that multiple strategies can share the same underlying token, simply removing a strategy does not automatically reflect the token's usage status across all strategies. As a result, the tokenWhiteList may retain tokens that are no longer associated with any active strategy.

function removeStrategy(address strategy) onlyRole(ADMIN_ROLE) external { 
    strategyWhiteList[strategy] = false;
}

Impact

If a token is no longer used by any strategy but remains in the token whitelist, and the InfiniCardVault contract holds some of that token, it can be drained from the contract using the withdrawToCEX function. This creates a potential security risk where unused tokens can be maliciously withdrawn.

Recommendations

Consider adding a function to remove unused underlying tokens from the tokenWhiteList and tokenList.

Remediation

This issue has been acknowledged by Infini Labs, and a fix was implemented in commit 773ef3b0↗.