Missing function to remove tokens from the whitelist
Description
Within the InfiniCardController contract, the addStrategy
function serves a dual purpose; it adds the specified strategy to the strategy whitelist and simultaneously includes the associated underlying token address in the token whitelist. This design ensures that only approved strategies and their corresponding tokens are recognized and utilized by the vault.
function addStrategy(address strategy) onlyRole(ADMIN_ROLE) external {
strategyWhiteList[strategy] = true;
_addToken(IStrategyVault(strategy).underlyingToken());
}
However, the removeStrategy
function currently only removes the specified strategy from the strategy whitelist without addressing the underlying tokens. Given that multiple strategies can share the same underlying token, simply removing a strategy does not automatically reflect the token's usage status across all strategies. As a result, the tokenWhiteList
may retain tokens that are no longer associated with any active strategy.
function removeStrategy(address strategy) onlyRole(ADMIN_ROLE) external {
strategyWhiteList[strategy] = false;
}
Impact
If a token is no longer used by any strategy but remains in the token whitelist, and the InfiniCardVault contract holds some of that token, it can be drained from the contract using the withdrawToCEX
function. This creates a potential security risk where unused tokens can be maliciously withdrawn.
Recommendations
Consider adding a function to remove unused underlying tokens from the tokenWhiteList
and tokenList
.
Remediation
This issue has been acknowledged by Infini Labs, and a fix was implemented in commit 773ef3b0↗.