Closed c4-bot-9 closed 4 months ago
alcueca marked the issue as primary issue
piske-alex (sponsor) confirmed
alcueca marked the issue as satisfactory
alcueca marked issue #15 as primary and marked this issue as a duplicate of 15
hello i would like to say that this issue is not duplicate of #15, as they talk about different things.
alcueca marked the issue as not a duplicate
alcueca marked the issue as selected for report
alcueca marked the issue as primary issue
Unfortunately, this is an invalid issue because the TX has to be signed by Oracle. Any change in the data will result in an invalid TX in Solana.
Furthermore, Oracle is a trusted role. Check README here
CC: @c4-judge
@koolexcrypto, this is invalid.
alcueca marked the issue as not selected for report
alcueca marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-04-lavarage/blob/main/libs/smart-contracts/programs/lavarage/src/processor/liquidate.rs#L37-L41
Vulnerability details
Proof of Concept
When liquidation happens, then user should query oracle API and provide address of account that should be liquidated. I don't know the code of oracle, but this service then signs transaction and then anyone can execute it later. It's likely that Oracle checks position size of Position and signs it.
There are 2 checks inside
liquidate
function. First is that LTV is more than 90% and another is that wallet operator is same as provided operator.The problem is that there is not check that provided wallet is used as trading pool's operator. Thus any node wallet can be provided which allows attacker to steal funds as they will be sent to the operator.
Impact
Tokens can be stolen.
Tools Used
VsCode
Recommended Mitigation Steps
Check that provided wallet is same as inside trading pool of position.
Assessed type
Error