Closed c4-bot-4 closed 4 months ago
piske-alex (sponsor) confirmed
piske-alex (sponsor) disputed
I haven't tested it in prod yet but according to rustdocs env! reads the variable at compile time
Upon deployment, the code will be compiled into BPF, including the public key taken from the deployment environment. The linked article offers a way of implementing environment variables in Solana whose content can change after deployment.
alcueca marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-04-lavarage/blob/9e8295b542fb71b2ba9b4693e25619585266d19e/libs/smart-contracts/programs/lavarage/src/processor/liquidate.rs#L23
Vulnerability details
Impact
The
liquidate
function will be permanently DoSed, opening the possibility for borrowers having under-collateralized loans, which will lead to lenders experiencing significant lossesProof of Concept
The current implementation of the
liquidate
function assigns the value oforacle_pubkey_check
to the environment variableORACLE_PUB_KEY
, by reading it using theenv!
macro provided in the Rust standard library.This will work fine for local deployments and for running tests, as the environment variable will be taken from the local machine. However, given that the
env!
call is performed at runtime, when the Lavarage program is deployed on-chain, this will lead to that environment variable not being able to be read, as at that point, the program will be actually running within the Solana network's execution environment. What this means is that on-chain, theliquidate
function will be permanently non-callable, making it impossible to liquidate any borrower, even if their loans become under-collateralized.Tools Used
Manual review
Recommended Mitigation Steps
Create a config account that will be used for storing the
oracle
public key instead of using an environment variable. This article does a great job of explaining how this can be achieved.Assessed type
DoS