search

ZealynxSecurity / solana-LzApp-ONFT

0 stars 0 forks source link

[L-03] Lack of Pause Functionality for Cross-Chain Token Transfers Could Lead to Security Risks #7

Open ShieldifyMartin opened 1 month ago

ShieldifyMartin commented 1 month ago

Severity

Low Risk

Description

Protocol administrators should have the ability to pause cross-chain token transfers if any malicious activity is detected. It is a common security practice to implement a pause flag in the onft_config structure and assign a pauser role to control this functionality. This feature is crucial for handling emergency situations and preventing potential exploits.

Recommendation

Introduce a paused flag in the onft_config to ensure that cross-chain functionality for a specific token can be paused when necessary. Additionally, assign a pauser role to control this mechanism.

pub struct ONftConfig {
    // immutable
    pub ld2sd_rate: u64,
    pub token_mint: Pubkey,
    pub token_program: Pubkey,
    pub endpoint_program: Pubkey,
    pub bump: u8,
    // mutable
    pub admin: Pubkey,
    pub ext: ONftConfigExt,
+    pub pauser: Pubkey,
+    pub paused: bool,
}

Add the following check at the beginning of the send and lz_receive functions to ensure the token is not paused during execution:

 require!(!ctx.accounts.onft_config.paused, OFTError::Paused);