This was raised by @joocho (https://github.com/status-im/audit-reports/issues/81)
TLDR:
- There's no check that user deposit accounts are owned by the same token program as the vault accounts
- This allows users to deposit from accounts owned by malicious token programs that don't transfer any tokens
- Fix is to check whether the user deposit accounts are owned by the same program as the vaults
In addition, we should explore whether we should require a specific token program ID as required for all token accounts.
This was raised by @joocho (https://github.com/status-im/audit-reports/issues/81)
TLDR:
In addition, we should explore whether we should require a specific token program ID as required for all token accounts.