search

sherlock-audit / 2024-08-woofi-solana-deployment-judging

2 stars 2 forks source link

LZ_security - The protocol does not support token2022 #52

Open sherlock-admin3 opened 1 month ago

sherlock-admin3 commented 1 month ago

LZ_security

Medium

The protocol does not support token2022

Summary

With the address token::ID set in token_program, token_program of token2022 will not be supported. Therefore, tokens that rely on token2022_program will not be supported.

Vulnerability Detail

The address of token_program must be token::ID:

    #[account(address = token::ID)]
    pub token_program: Program<'info, Token>,

The problem is that the program id for token2022 is TOKEN_2022_PROGRAM_ID.

If the new token relies on token2022, it will not be supported.

Although it currently only supports sol, usdt, and usdc, it cannot be added later when you want to support other token2022

https://spl.solana.com/token-2022

Impact

tokens that rely on token2022_program will not be supported.

Code Snippet

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/1c4c9c622e8c44ae2f8cd4219c7c2a0181f25ca0/WOOFi_Solana/programs/woofi/src/instructions/swap.rs#L18-L19

Tool used

Manual Review

Recommendation

Added support for token2022

toprince commented 1 month ago

Good point. Need further investigation here.