Q7 - Missing signer check in `create_wooracle`

[sherlock-admin4]

Q7

Medium

Missing signer check in create_wooracle

Summary

According to the documentation, the create_oracle instruction (referred to as create_wooracle in the code) should only be callable by an admin. However, there is currently no check in place to verify whether the signer is an admin. Additionally, the seeds used to generate the wooracle PDA are [WOORACLE_SEED, wooconfig, token_mint, feed_account, price_update], where WOORACLE_SEED is a constant, wooconfig is a config singleton PDA, and the remaining three accounts represent the base token mint, the corresponding Pyth feed account, and the price update address. Notably, the admin field is not included in these seeds, which allows a malicious user to preemptively create a wooracle with the same base token that the admin might intend to use, leading to a potential DoS attack.

Root Cause

In https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/admin/create_wooracle.rs#L61-L62, there is a missing check on admin.

Internal pre-conditions

None

External pre-conditions

None

Attack Path

Attacker calls create_wooracle

Impact

• DoS: Admin cannot create wooracle with the same base token.

PoC

No response

Mitigation

Add a constraint of wooconfig.wooracle_admin_authority.contains(admin.key)

[toprince]

Same with https://github.com/sherlock-audit/2024-08-woofi-solana-deployment-judging/issues/54

[sherlock-admin2]

The protocol team fixed this issue in the following PRs/commits: https://github.com/woonetwork/WOOFi_Solana/pull/31

[gjaldon]

Restricting the creation of pools and oracles to only the WooConfig authority fixes the issue.