0xeix - Permit functionality cannot be properly used in the contract

[sherlock-admin3]

0xeix

Medium

Permit functionality cannot be properly used in the contract

Summary

At the moment protocol requires for the signer of the tx to be the owner of the account where the tokens will be withdrawn from. This disallows using permit functionality (including USDC permits) and disables any potential integrations with many protocols.

Vulnerability Detail

Currently there is a following check:

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/swap.rs#L37

 constraint = token_owner_account_from.owner == payer.key(),

This creates a situation where permit functionality (including USDC permit functionality as it's one of the tokens marked in scope) cannot be used at all breaking integrations with many protocols where smart contract will transfer and swap the funds instead of the user.

Impact

Protocol will not be compatible with a huge variety of other protocols as it disables the opportunity to use permit functionality for gasless transfers, for example.

Code Snippet

Provided above.

Tool used

Manual Review

Recommendation

Check for allowance of the from account to allow using permit functionality.

[toprince]

Good point, need investigation here.

[sherlock-admin2]

The protocol team fixed this issue in the following PRs/commits: https://github.com/woonetwork/WOOFi_Solana/pull/43

[gjaldon]

Removed the constraint that restricts swaps to only the owner of the token account. Signers and delegates given permission by the owner to handle their account can now do swaps on the owner's behalf.