Because of an incorrect condition, the query function will succeed and the swap function would fail for same parameters.
The query function is intended to be a view form of swap. The query returns the output amounts without doing the actual swap and the function should fail if the swap is not possible.
The query function ensures the woopool_to has enough reserves for the out amount and the swap fee:
The used require conditions will incorrectly pass in case the swap is from Base-to-Quote swap. In the Base-to-Quote swap, the woopool_to and the woopool_quote will be same. As a result, the swap fee is also deducted from the woopool_to.
However, the query ensures that
woopool_to has enough reserves for to_amount (woopool_to.reserve >= to_amount)
woopool_quote has enough reserves for fees (woopool_quote.reserve >= swap_fee)
These checks are done separately. When the woopool_to, woopool_quote are same, it is possible that
Uneven Gingham Locust
Medium
Incorrect implementation of
query
functionSummary
Because of an incorrect condition, the
query
function will succeed and theswap
function would fail for same parameters.The
query
function is intended to be a view form ofswap
. Thequery
returns the output amounts without doing the actual swap and the function should fail if the swap is not possible.The
query
function ensures thewoopool_to
has enough reserves for the out amount and the swap fee:https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/query.rs#L118-L123
https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/query.rs#L144-L147
The used require conditions will incorrectly pass in case the swap is from Base-to-Quote swap. In the Base-to-Quote swap, the
woopool_to
and thewoopool_quote
will be same. As a result, the swapfee
is also deducted from thewoopool_to
.However, the
query
ensures thatwoopool_to
has enough reserves forto_amount
(woopool_to.reserve >= to_amount
)woopool_quote
has enough reserves for fees (woopool_quote.reserve >= swap_fee
)These checks are done separately. When the
woopool_to
,woopool_quote
are same, it is possible thatwoopool_to.reserve >= to_amount
,woopool_to.reserve >= swap_fee
butwoopool_to.reserve < to_amount + swap_fee
.In this case, the query function succeeds even when it should not.
Root Cause
Incorrect condition for checking whether the reserves of the
woopool_to
are sufficient to cover for to_amount and swap_fee:https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/query.rs#L119-L122
https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/query.rs#L144-L147
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
woopool_from = (SOL, USDC)
,woopool_to = (USDC, USDC)
,woopool_quote = (USDC, USDC)
andwoopool_to == woopool_quote
.woopool_from
has 2 SOL in reserve andwoopool_to
has130
USDC.1 SOL = 125 USDC
1
SOL. Theto_amount = 125 USDC
andswap_fee = 15 USDC
.woopool_to.reserve == 130 USDC < 125 + 15 USDC
.Impact
Incorrect implementation of core functionality: Query incorrectly succeeds when it should not.
PoC
No response
Mitigation
No response