Review: buy tokens twice (after a human error)

Impact

In the ArenaTokenSale contract you can update the whitelist with changeWhiteList()

If you would accidentally call this function with old values of the whitelist, the whitelisted amount will be reset in the contract.
Then token buyers who already bought their share can buy their share again.
Note: Calling changeWhiteList() again with old values is a human error, but this could happen when copy/pasting from a spreadsheet

Proof of Concept

contracts/contracts/ArenaTokenSale.sol

Lines 134 to 146 in 4a86c18

    
           function changeWhiteList(address[] memory _buyers, uint256[] memory _newTokenOutAmounts) 
        
               external 
        
           { 
        
               require(msg.sender == owner() || msg.sender == saleRecipient, "TokenSale: not authorized"); 
        
               require( 
        
                   _buyers.length == _newTokenOutAmounts.length, 
        
                   "TokenSale: parameter length mismatch" 
        
               ); 
        
               for (uint256 i = 0; i < _buyers.length; i++) { 
        
                   whitelistedBuyersAmount[_buyers[i]] = _newTokenOutAmounts[i]; 
        
               } 
        
           }

contracts/contracts/ArenaTokenSale.sol

Line 93 in 4a86c18

whitelistedBuyersAmount[msg.sender] -= _tokenOutAmount;

Recommended Mitigation Steps

Track the amount of tokens bought

Probably easier to restrict setting the whitelist to before the start of the token sale

	function changeWhiteList(address[] memory _buyers, uint256[] memory _newTokenOutAmounts)
	external
	{
	require(msg.sender == owner() \|\| msg.sender == saleRecipient, "TokenSale: not authorized");
	require(
	_buyers.length == _newTokenOutAmounts.length,
	"TokenSale: parameter length mismatch"
	);

	for (uint256 i = 0; i < _buyers.length; i++) {
	whitelistedBuyersAmount[_buyers[i]] = _newTokenOutAmounts[i];
	}
	}