Closed c4-bot-7 closed 4 months ago
alcueca marked the issue as duplicate of #5
alcueca marked the issue as satisfactory
alcueca marked the issue as selected for report
piske-alex (sponsor) confirmed
Other dups are separate issues, they are talking about node_wallet
, not token_program
, this is totally different. Please re-check.
Hi @DadeKuma
Thank you for your efforts.
Here is my input on this. Unfortunately, this is an invalid issue due to two reasons: First:
Malicious users can submit arbitrary programs during liquidations due to a lack of checks ensuring that the Token program is the real SPL program
The TX for Liquidate
function has to be signed by Oracle. Any change in any data will result in an invalid TX in Solana.
Furthermore, Oracle is a trusted role. Check README here
Second: The program token id is implicitly checked by solana-program-library when using spl-token CPIs, So developers don't need to verify it anymore. Check this: Fix potential vulnerabilities in programs using spl-token CPIs by adding program id checks
Note: this was a common vulnerability in Solana prior to this fix.
CC: @c4-judge
Hi @koolexcrypto, thanks for the input, TIL. I still have some doubts about this as there is a check in another part of the code but it's missing here, maybe the sponsor can give us further feedback about it as they confirmed the issue.
Regarding the first point, other dups also assume that the Oracle only checks the price/position_size and not the other data before signing (a misuse of the trusted role would be to assume an invalid price, which is what the Oracle is checking).
alcueca marked the issue as unsatisfactory: Invalid
The program token id is now checked by default, as @koolexcrypto says.
Lines of code
https://github.com/code-423n4/2024-04-lavarage/blob/main/libs/smart-contracts/programs/lavarage/src/processor/liquidate.rs#L107 https://github.com/code-423n4/2024-04-lavarage/blob/main/libs/smart-contracts/programs/lavarage/src/processor/liquidate.rs#L58-L72
Vulnerability details
Impact
Malicious users can submit arbitrary programs during liquidations due to a lack of checks ensuring that the Token program is the real SPL program.
This could potentially allow borrowers to 'liquidate' their own positions, extracting collateral into their own accounts rather than the lender's.
Proof of Concept
Liquidate
doesn't have any checks fortoken_program
:https://github.com/code-423n4/2024-04-lavarage/blob/main/libs/smart-contracts/programs/lavarage/src/processor/liquidate.rs#L107
An attacker/borrower might
liquidate
their own position passing their own program instead of the SPL:https://github.com/code-423n4/2024-04-lavarage/blob/main/libs/smart-contracts/programs/lavarage/src/processor/liquidate.rs#L58-L72
token::transfer
will simply invoke the Attacker's program, but it will be signed by theposition
:https://docs.rs/anchor-spl/latest/src/anchor_spl/token.rs.html#11-29
At this point, the attacker's program transfers the collateral to themselves, instead of the lender's account.
Tools Used
Manual review
Recommended Mitigation Steps
Consider checking that the token program is the real SPL program:
Assessed type
Invalid Validation