search

sherlock-audit / 2024-08-woofi-solana-deployment-judging

0 stars 0 forks source link

Uneven Gingham Locust - Incorrect implementation of `query` function #43

Open sherlock-admin3 opened 15 hours ago

sherlock-admin3 commented 15 hours ago

Uneven Gingham Locust

Medium

Incorrect implementation of query function

Summary

Because of an incorrect condition, the query function will succeed and the swap function would fail for same parameters.

The query function is intended to be a view form of swap. The query returns the output amounts without doing the actual swap and the function should fail if the swap is not possible.

The query function ensures the woopool_to has enough reserves for the out amount and the swap fee:

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/query.rs#L118-L123

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/query.rs#L144-L147

The used require conditions will incorrectly pass in case the swap is from Base-to-Quote swap. In the Base-to-Quote swap, the woopool_to and the woopool_quote will be same. As a result, the swap fee is also deducted from the woopool_to.

However, the query ensures that

  1. woopool_to has enough reserves for to_amount (woopool_to.reserve >= to_amount)
  2. woopool_quote has enough reserves for fees (woopool_quote.reserve >= swap_fee)

These checks are done separately. When the woopool_to, woopool_quote are same, it is possible that

woopool_to.reserve >= to_amount, woopool_to.reserve >= swap_fee but woopool_to.reserve < to_amount + swap_fee.

In this case, the query function succeeds even when it should not.

Root Cause

Incorrect condition for checking whether the reserves of the woopool_to are sufficient to cover for to_amount and swap_fee:

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/query.rs#L119-L122

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/query.rs#L144-L147

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. Alice intends swap from SOL to USDC.
  2. woopool_from = (SOL, USDC), woopool_to = (USDC, USDC), woopool_quote = (USDC, USDC) and woopool_to == woopool_quote.
  3. woopool_from has 2 SOL in reserve and woopool_to has 130 USDC.
  4. Wooracle price is 1 SOL = 125 USDC
  5. Alice calls query function to swap 1 SOL. The to_amount = 125 USDC and swap_fee = 15 USDC.
  6. The query function succeeds even when the woopool_to.reserve == 130 USDC < 125 + 15 USDC.

Impact

Incorrect implementation of core functionality: Query incorrectly succeeds when it should not.

PoC

No response

Mitigation

No response

toprince commented 4 hours ago

Not valid. this is by design, query will not check real swap condition, only for price purpose, same with evm.