search

sherlock-audit / 2024-08-woofi-solana-deployment-judging

0 stars 0 forks source link

Cuddly Gauze Mustang - User will use external accounts for bypassing check in programs #32

Open sherlock-admin4 opened 15 hours ago

sherlock-admin4 commented 15 hours ago

Cuddly Gauze Mustang

High

User will use external accounts for bypassing check in programs

Summary

In the current implementation, multiple instructions make the assumption that accounts are owned by the current program (so are trusted) but they are not. This allows user to provide external accounts to bypass checks.

Root Cause

Other occurences in claim_fee.rs, create_pool.rs#L9, deposit_withdraw.rs#L9, and everywhere else in the codebase.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. User creates a wooconfig account owned by himself
  2. User uses this wooconfig account through the WooFi instructions to bypass checks

Impact

Multiple checks are bypassed, including access control checks.

PoC

No response

Mitigation

Every time wooconfig is expected, ensure that the account is the correct PDA.

For example, in the CreateWooracle structure, it gives:

#[derive(Accounts)]
pub struct CreateWooracle<'info> {
    #[account(
        seeds = [
          WOOCONFIG_SEED.as_bytes(),
        ],
        bump)]
    pub wooconfig: Box<Account<'info, WooConfig>>,
toprince commented 12 hours ago

Not valid. Cannot create wooconfig again.