Tokens can be stolen during liquidation

[c4-bot-9]

Lines of code

https://github.com/code-423n4/2024-04-lavarage/blob/main/libs/smart-contracts/programs/lavarage/src/processor/liquidate.rs#L37-L41

Vulnerability details

Proof of Concept

When liquidation happens, then user should query oracle API and provide address of account that should be liquidated. I don't know the code of oracle, but this service then signs transaction and then anyone can execute it later. It's likely that Oracle checks position size of Position and signs it.

There are 2 checks inside liquidate function. First is that LTV is more than 90% and another is that wallet operator is same as provided operator.

The problem is that there is not check that provided wallet is used as trading pool's operator. Thus any node wallet can be provided which allows attacker to steal funds as they will be sent to the operator.

Impact

Tokens can be stolen.

Tools Used

VsCode

Recommended Mitigation Steps

Check that provided wallet is same as inside trading pool of position.

Assessed type

Error

[c4-judge]

alcueca marked the issue as primary issue

[c4-sponsor]

piske-alex (sponsor) confirmed

[c4-judge]

alcueca marked the issue as satisfactory

[c4-judge]

alcueca marked issue #15 as primary and marked this issue as a duplicate of 15

[rvierdiiev]

hello i would like to say that this issue is not duplicate of #15, as they talk about different things.

[c4-judge]

alcueca marked the issue as not a duplicate

[c4-judge]

alcueca marked the issue as selected for report

[c4-judge]

alcueca marked the issue as primary issue

[koolexcrypto]

Unfortunately, this is an invalid issue because the TX has to be signed by Oracle. Any change in the data will result in an invalid TX in Solana.

Furthermore, Oracle is a trusted role. Check README here

CC: @c4-judge

[alcueca]

@koolexcrypto, this is invalid.

[c4-judge]

alcueca marked the issue as not selected for report

[c4-judge]

alcueca marked the issue as unsatisfactory: Invalid