Attacker can prevent WooFi admin from adding additional base tokens
Summary
Anyone can create a pool for (base, quote) pair and the authority field of the woopool is set to the creator address.
There can only be one woopool PDA for a given (base, quote) pair i.e once someone creates a pool for (B, Q) its not possible to create another pool for (B, Q).
swap operation requires that all the pools involved have the same authority i.e same creator.
As a result, an attacker can create a woopool for e.g (WETH, USDC), the authority address will be set to the attacker. Because rest of the pools are created by the woofi team, the authority field will be set to the woofi admin address for those pools. Swaps cannot work with WETH as base and woofi team cannot create the WETH pool as well hence cannot add support for WETH as base token.
Root Cause
The seeds used for creating woopool state PDA do not include the authority address thats creating the pool. The program intends to allow multiple authorities to create pools. The pools are grouped based on the authority and swap operations are only allowed between the pools of the same group.
By not including the authority address as the seed for woopool PDA, the program is only allowing for one woopool for a pair. As anyone can create a pool, an attacker can create one and prohibit the woofi admin from creating that pool. Swaps require same authority address disallowing adding support for these base tokens.
Uneven Gingham Locust
Medium
Attacker can prevent WooFi admin from adding additional base tokens
Summary
authority
field of the woopool is set to the creator address.swap
operation requires that all the pools involved have the sameauthority
i.e same creator.As a result, an attacker can create a woopool for e.g (WETH, USDC), the authority address will be set to the attacker. Because rest of the pools are created by the woofi team, the
authority
field will be set to the woofi admin address for those pools. Swaps cannot work withWETH
as base and woofi team cannot create theWETH
pool as well hence cannot add support for WETH as base token.Root Cause
The seeds used for creating
woopool
state PDA do not include theauthority
address thats creating the pool. The program intends to allow multiple authorities to create pools. The pools are grouped based on the authority and swap operations are only allowed between the pools of the same group.https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/admin/create_pool.rs#L16-L27
By not including the
authority
address as the seed for woopool PDA, the program is only allowing for one woopool for a pair. As anyone can create a pool, an attacker can create one and prohibit the woofi admin from creating that pool. Swaps require sameauthority
address disallowing adding support for these base tokens.https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/swap.rs#L32-L35
https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/swap.rs#L59-L60
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
SOL
,USDT
as base tokens withUSDC
as the quote token.authority
field of these pools is set woofi admin addressWETH, USDC
and sets the authority to their own addressNote the attack does not require additional integrations. The attacker can also create
USDT, USDC
pool before the woofi admin.Impact
Attacker can prevent WooFi from supporting additional base tokens for swaps
PoC
No response
Mitigation
Include the
authority
address creating the woopool as a seed for the PDA