Wooracle authority is incorrectly set

Summary

At the moment wooracle admin is marked as the signer of the transaction (msg.sender) who calls handler() function without any verification if it's a trusted entity or not.

Vulnerability Detail

create_wooracle() instruction is used to create a new wooracle with different parameters by calling handler() function:

https://github.com/woonetwork/woofi_swap_smart_contracts/blob/main/contracts/WooPPV2.sol#L84

pub fn handler(ctx: Context<CreateWooracle>, maximum_age: u64) -> Result<()>

However, in the current version of the instruction, admin is currently set as just signer:

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/admin/create_wooracle.rs#L62

 admin: Signer<'info>,

And there is no any constraint to validate if it's a trusted entity or not as it's done in other instructions meaning the handler() can be called by anybody.

From the spec:

Functions need admin authority: claim_fee claim_rebate_fee create_oracle create_pool create_rebate_pool deposit set_pool_admin set_pool_state (all handlers in this file) set_woo_admin set_woo_state(all handlers in this file)

Impact

Anybody can call handler() function and create a new wooracle that's supposed to be only called by admin.

Code Snippet

Provided above.

Tool used

Manual Review

Recommendation

Introduce some constraints in CreateWooracle struct to check for the trusted authority.

toprince commented 1 month ago

valid, low impact. same with https://github.com/sherlock-audit/2024-08-woofi-solana-deployment-judging/issues/54

sherlock-admin2 commented 1 month ago

The protocol team fixed this issue in the following PRs/commits: https://github.com/woonetwork/WOOFi_Solana/pull/31

gjaldon commented 3 weeks ago

Restricting the creation of pools and oracles to only the WooConfig authority fixes the issue.

sherlock-audit / 2024-08-woofi-solana-deployment-judging

0xeix - Wooracle authority is incorrectly set #36