ArcToken can be enabled to buy arc token by token contract admin through ArcTokenPurchase#enableToken function. But the related parameters can be reset again by calling ArcTokenPurchase#enableToken function including amountSold. This allows amountSold to be reset to 0 after some sales, which can lead to over-selling relative to the originally intended totalAmountForSale.
1
Reproduction scenario (high level)
The token contract admin calls ArcTokenPurchase#enableToken to set totalAmountForSale = 1000.
Some tokens are purchased (e.g., amountSold = 700).
2
Admin updates configuration
The token contract admin calls ArcTokenPurchase#enableToken again (for example to update tokenPrice).
This second call resets amountSold to 0 while remainingForSale remains based on totalAmountForSale.
3
Over-sell occurs
After the reset, more tokens can be sold up to totalAmountForSale again (e.g., another 1000).
Total tokens sold becomes 1700 even though totalAmountForSale was originally 1000, causing over-sale and mismatch with underlying RWA.
Impact
Arc token can be sold out more than expected, which is unfair to earlier buyers and may result in insufficient RWA to deliver the promised assets.
Recommendation
Do not allow amountSold to be reset to 0 when calling ArcTokenPurchase#enableToken. Ensure amountSold is preserved (or updated correctly) when the admin re-enables or updates sale parameters so that total accounting cannot be reset and over-selling cannot occur.
Proof of Concept
This test reproduces the issue by enabling a sale, selling 700 tokens, refilling the contract, re-calling enableToken (which resets amountSold), and then selling 1000 tokens again — resulting in 1700 tokens sold despite totalAmountForSale being 1000.
