TOB-FUEL-3: register_refund does not take previous refunds into account

[xgreenx]

Description

When a refund is registered due to an error, any previous refund balance is overwritten and lost.
Refunds are issued when the bridged Ethereum asset is sent to an incompatible token address on the Fuel chain.
Refunds are accounted for in the register_refund function and stored in the storage variable refund_amounts.

// Storage-dependant private functions
#[storage(write)]
fn register_refund(from: b256, asset: b256, amount: b256) {
    storage.refund_amounts.get(from).insert(asset, amount);
    log(RefundRegisteredEvent {
        from,
        asset,
        amount,
    });
}

Exploit Scenario

Alice bridges 1M USDC from Ethereum to the Fuel chain and includes a wrong recipient. Due to a mistake she sends the transaction twice. This results in her first deposit being lost.

Recommendations

Short term, increment the amounts when updating the refund storage values.
Long term, increase test coverage and make sure that special cases, such as triggering a refund case twice, are included.

[xgreenx]

Fixed by #4, duplicate of #5