Q7 - Missing signer check in `create_pool`

[sherlock-admin2]

Q7

Medium

Missing signer check in create_pool

Summary

According to the documentation, the create_pool instruction should only be callable by an admin. However, there is currently no check in place to verify whether the signer is an admin. Additionally, the seeds used to generate the WooPool PDA are [WOOPOOL_SEED, wooconfig, token_mint, quote_token_mint], where WOOPOOL_SEED is a constant, wooconfig is a config singleton PDA, and the remaining two accounts are the mint addresses for the token pair. Notably, the admin field is not included in these seeds, which allows a malicious user to preemptively create a pool with the same token pair that the admin might intend to create, resulting in a potential DoS attack.

However, this vulnerability is dependent on another issue (#1), as it can only be exploited when there is a wooracle where the authority is the signer, allowing for arbitrary pool creation.

Root Cause

In https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/admin/create_pool.rs#L13-L14, there is a missing check on authority.

Internal pre-conditions

This vulnerability is dependent on another issue (#1), as it can only be exploited when there is a wooracle where the authority is the signer, allowing for arbitrary pool creation.

External pre-conditions

None

Attack Path

Attacker calls create_pool

Impact

DoS: Admin cannot create pool with the same token pair.

PoC

No response

Mitigation

Add a constraint of wooconfig.woopool_admin_authority.contains(authority.key)

[toprince]

Same with https://github.com/sherlock-audit/2024-08-woofi-solana-deployment-judging/issues/54

[sherlock-admin2]

The protocol team fixed this issue in the following PRs/commits: https://github.com/woonetwork/WOOFi_Solana/pull/31

[gjaldon]

Restricting the creation of pools and oracles to only the WooConfig authority fixes the issue.