Attacker can prevent WooFi admin from adding additional base tokens
Summary
Anyone can create a pool for (base, quote) pair and the authority field of the woopool is set to the creator address.
There can only be one woopool PDA for a given (base, quote) pair i.e once someone creates a pool for (B, Q) its not possible to create another pool for (B, Q).
swap operation requires that all the pools involved have the same authority i.e same creator.
As a result, an attacker can create a woopool for e.g (WETH, USDC), the authority address will be set to the attacker. Because rest of the pools are created by the woofi team, the authority field will be set to the woofi admin address for those pools. Swaps cannot work with WETH as base and woofi team cannot create the WETH pool as well hence cannot add support for WETH as base token.
Root Cause
The seeds used for creating woopool state PDA do not include the authority address thats creating the pool. The program intends to allow multiple authorities to create pools. The pools are grouped based on the authority and swap operations are only allowed between the pools of the same group.
By not including the authority address as the seed for woopool PDA, the program is only allowing for one woopool for a pair. As anyone can create a pool, an attacker can create one and prohibit the woofi admin from creating that pool. Swaps require same authority address disallowing adding support for these base tokens.
toprince
commented
4 hours ago
Uneven Gingham Locust
Medium
Attacker can prevent WooFi admin from adding additional base tokens
Summary
authorityfield of the woopool is set to the creator address.swapoperation requires that all the pools involved have the sameauthorityi.e same creator.As a result, an attacker can create a woopool for e.g (WETH, USDC), the authority address will be set to the attacker. Because rest of the pools are created by the woofi team, the
authorityfield will be set to the woofi admin address for those pools. Swaps cannot work withWETHas base and woofi team cannot create theWETHpool as well hence cannot add support for WETH as base token.Root Cause
The seeds used for creating
woopoolstate PDA do not include theauthorityaddress thats creating the pool. The program intends to allow multiple authorities to create pools. The pools are grouped based on the authority and swap operations are only allowed between the pools of the same group.https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/admin/create_pool.rs#L16-L27
By not including the
authorityaddress as the seed for woopool PDA, the program is only allowing for one woopool for a pair. As anyone can create a pool, an attacker can create one and prohibit the woofi admin from creating that pool. Swaps require sameauthorityaddress disallowing adding support for these base tokens.https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/swap.rs#L32-L35
https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/swap.rs#L59-L60
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
SOL,USDTas base tokens withUSDCas the quote token.authorityfield of these pools is set woofi admin addressWETH, USDCand sets the authority to their own addressNote the attack does not require additional integrations. The attacker can also create
USDT, USDCpool before the woofi admin.Impact
Attacker can prevent WooFi from supporting additional base tokens for swaps
PoC
No response
Mitigation
Include the
authorityaddress creating the woopool as a seed for the PDA