search

sherlock-audit / 2024-08-woofi-solana-deployment-judging

2 stars 2 forks source link

g - Only 1 Oracle can be created for a base token due to not including the quote token in the oracle's seeds #23

Open sherlock-admin4 opened 1 month ago

sherlock-admin4 commented 1 month ago

g

Medium

Only 1 Oracle can be created for a base token due to not including the quote token in the oracle's seeds

Summary

The quote token, quote feed account, and quote price update are not included in Oracle's seeds when creating the pool account. 

  #[account(
      init,
      payer = admin,
      space = 8 + Wooracle::INIT_SPACE,
      // @audit quote token and other quote data are not included in the seeds for an Oracle
      seeds = [
          WOORACLE_SEED.as_bytes(),
          wooconfig.key().as_ref(),
          token_mint.key().as_ref(),
          feed_account.key().as_ref(),
          price_update.key().as_ref()
          ],
      bump,
  )]
  wooracle: Account<'info, Wooracle>,

Once an Oracle for a base token is created, no more oracles for that same base token can be made. For example, only 1 Oracle can be created with SOL as the base token.

Root Cause

In create_wooracle.rs:51-57, the seeds do not include quote token, quote feed account, and quote price update. Oracles with different quote tokens but the same base token can no longer be created once an Oracle already exists for that base token.

Internal pre-conditions

None

External pre-conditions

None

Attack Path

The issue is naturally occurring and does not require an attacker to trigger it.

  1. Anyone calls the create_wooracle() instruction to create an Oracle for SOL/USDT. SOL is the base token.
  2. Anyone attempts to create another Oracle with create_wooracle() for SOL/USDC. It will fail since it uses the same base token and the same account address will be generated.

Impact

Pools for other pairs can not be created due to lacking Oracles. Swaps can not be executed on Pools without Oracles.

PoC

No response

Mitigation

Consider adding quote token, quote feed account, and quote price update to the Oracle's seeds.

toprince commented 1 month ago

Need a decision after discuss. In my opinion, we do support multiple quote tokens.

sherlock-admin2 commented 3 weeks ago

The protocol team fixed this issue in the following PRs/commits: https://github.com/woonetwork/WOOFi_Solana/pull/31

gjaldon commented 2 weeks ago

Restricting the creation of pools and oracles to only the WooConfig authority fixes the issue.