According to the documentation, the create_pool instruction should only be callable by an admin. However, there is currently no check in place to verify whether the signer is an admin. Additionally, the seeds used to generate the WooPool PDA are [WOOPOOL_SEED, wooconfig, token_mint, quote_token_mint], where WOOPOOL_SEED is a constant, wooconfig is a config singleton PDA, and the remaining two accounts are the mint addresses for the token pair. Notably, the admin field is not included in these seeds, which allows a malicious user to preemptively create a pool with the same token pair that the admin might intend to create, resulting in a potential DoS attack.
However, this vulnerability is dependent on another issue (#1), as it can only be exploited when there is a wooracle where the authority is the signer, allowing for arbitrary pool creation.
This vulnerability is dependent on another issue (#1), as it can only be exploited when there is a wooracle where the authority is the signer, allowing for arbitrary pool creation.
External pre-conditions
None
Attack Path
Attacker calls create_pool
Impact
DoS: Admin cannot create pool with the same token pair.
PoC
No response
Mitigation
Add a constraint of wooconfig.woopool_admin_authority.contains(authority.key)
toprince
commented
4 hours ago
Steep Ocean Swift
Medium
Missing signer check in
create_poolSummary
According to the documentation, the
create_poolinstruction should only be callable by an admin. However, there is currently no check in place to verify whether the signer is an admin. Additionally, the seeds used to generate the WooPool PDA are[WOOPOOL_SEED, wooconfig, token_mint, quote_token_mint], whereWOOPOOL_SEEDis a constant,wooconfigis a config singleton PDA, and the remaining two accounts are the mint addresses for the token pair. Notably, the admin field is not included in these seeds, which allows a malicious user to preemptively create a pool with the same token pair that the admin might intend to create, resulting in a potential DoS attack.However, this vulnerability is dependent on another issue (#1), as it can only be exploited when there is a
wooraclewhere the authority is the signer, allowing for arbitrary pool creation.Root Cause
In https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/admin/create_pool.rs#L13-L14, there is a missing check on
authority.Internal pre-conditions
This vulnerability is dependent on another issue (#1), as it can only be exploited when there is a
wooraclewhere the authority is the signer, allowing for arbitrary pool creation.External pre-conditions
None
Attack Path
Attacker calls
create_poolImpact
DoS: Admin cannot create pool with the same token pair.
PoC
No response
Mitigation
Add a constraint of
wooconfig.woopool_admin_authority.contains(authority.key)