toprince
commented
4 hours ago Not valid, Config cannot created twice. reInit is assured by Anchor. you can have a test case to see this.
Open sherlock-admin3 opened 15 hours ago
toprince
commented
4 hours ago Not valid, Config cannot created twice. reInit is assured by Anchor. you can have a test case to see this.
Uneven Gingham Locust
Medium
Attacker can DoS WooFi deployment
Summary
Anyone can create the WooConfig account by calling the
create_configfunction immediately after deployment. Any given WooFi program can only have oneWooConfigstate account and the caller of thecreate_configbecomes the authority for theWooConfighence controls all admin related functions of the WooFi program.When an attacker calls the
create_configfunction before the protocol team, the authority can be set to attaker controlled address making the deployment unusable.Root Cause
The
create_configfunction should check that an admin called the function by comparing against an hardcoded address in the program. The function only ensures that anauthoritysigned the instruction, there are no checks on the address of authority:https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/admin/create_config.rs#L7-L9
https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/admin/create_config.rs#L24-L25
Because deployments work differently on Solana, there is no constructor for the program hence the
owneraddresses cannot be set like in Ethereum. The initializer address must be hard-coded.Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
create_configfunction.Impact
Attacker DoSes the deployment
PoC
No response
Mitigation
Hardcode an initializer address and ensure the initializer is signer for the
create_configcall,