At the moment wooracle admin is marked as the signer of the transaction (msg.sender) who calls handler() function without any verification if it's a trusted entity or not.
Vulnerability Detail
create_wooracle() instruction is used to create a new wooracle with different parameters by calling handler() function:
And there is no any constraint to validate if it's a trusted entity or not as it's done in other instructions meaning the handler() can be called by anybody.
From the spec:
Functions need admin authority: claim_fee claim_rebate_fee create_oracle create_pool create_rebate_pool deposit set_pool_admin set_pool_state (all handlers in this file) set_woo_admin set_woo_state(all handlers in this file)
Impact
Anybody can call handler() function and create a new wooracle that's supposed to be only called by admin.
Code Snippet
Provided above.
Tool used
Manual Review
Recommendation
Introduce some constraints in CreateWooracle struct to check for the trusted authority.
Creamy Carrot Yeti
High
Wooracle authority is incorrectly set
Summary
At the moment wooracle admin is marked as the signer of the transaction (
msg.sender
) who callshandler()
function without any verification if it's a trusted entity or not.Vulnerability Detail
create_wooracle()
instruction is used to create a new wooracle with different parameters by callinghandler()
function:https://github.com/woonetwork/woofi_swap_smart_contracts/blob/main/contracts/WooPPV2.sol#L84
However, in the current version of the instruction, admin is currently set as just signer:
https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/admin/create_wooracle.rs#L62
And there is no any constraint to validate if it's a trusted entity or not as it's done in other instructions meaning the
handler()
can be called by anybody.From the spec:
Impact
Anybody can call
handler()
function and create a new wooracle that's supposed to be only called by admin.Code Snippet
Provided above.
Tool used
Manual Review
Recommendation
Introduce some constraints in
CreateWooracle
struct to check for the trusted authority.