search

sherlock-audit / 2024-08-woofi-solana-deployment-judging

2 stars 2 forks source link

chinepun - DOS vulnerability due to Global WooConfig Account #15

Open sherlock-admin2 opened 1 month ago

sherlock-admin2 commented 1 month ago

chinepun

Medium

DOS vulnerability due to Global WooConfig Account

High

Summary

The current implementation of wooconfig is global, and this includes settings for a pause functionality.

Root Cause

Admin sets pause to true

Internal pre-conditions

Wooconfig Authority set the pause functionality to true making all swaps on the platform impossible

Impact

If the wooconfig.pause = true, this will make all swaps to fail. The wooconfig account is generated with constant seeds hence pausing it prevents most user defined functionalities

Mitigation

Create an Individual wooconfig account unique to only two whitelisted tokens(base and quote) so that pausing only affects the swaps between these two tokens rather than rendering all swaps in the platform unusable or add the pause functionality in the woopool account.

toprince commented 1 month ago

Need investigate this further.

toprince commented 4 weeks ago

design decesion here, keep it simple.