Fluffy Burlap Lark - Arbitrary permission initialization of wooracle contract

[sherlock-admin2]

Fluffy Burlap Lark

Medium

Arbitrary permission initialization of wooracle contract

Summary

The Wooracle contract in the WOOFi program can be initialized by anyone by calling the , allowing for potential misuse by malicious users. This flaw enables unauthorized actors to create fraudulent oracle instances using the official contract, leading to potential abuse and exploitation of the WOOFi infrastructure by calling the create_wooracle,

Vulnerability Detail

The code in question allows the Wooracle to be initialized without adequate authorization checks, as seen in the create_wooracle.rs file. Specifically, any user can invoke the create_wooracle function, enabling them to initialize a new instance of the oracle contract, even if they are not an authorized admin or associated with the WOOFi team.

The vulnerability exists because there is no validation of the admin or authority account passed during the initialization process. This lack of restrictions allows anyone to create a new oracle instance, bypassing proper administrative controls.

Attack scnerio: Attacker can create any wooconfig account with the same format and just pass on that account.

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/admin/create_wooracle.rs#L44C1-L45C1

Impact

• Create fake oracle contracts: Malicious actors could deploy fraudulent Wooracle instances using the official program, confusing or misleading other users.
• Conduct fraudulent activities: These unauthorized oracle instances could be used to manipulate data or price feeds, potentially causing users to suffer financial losses.
• Erode trust in the WOOFi system: The ability for anyone to initialize oracles may lead to a loss of trust in the reliability and integrity of the platform.

Code Snippet

pub struct CreateWooracle<'info> {
    pub wooconfig: Box<Account<'info, WooConfig>>,
    pub token_mint: Account<'info, Mint>,

    #[account(
        init,
        payer = admin,
        space = 8 + Wooracle::INIT_SPACE,
        seeds = [
            WOORACLE_SEED.as_bytes(),
            wooconfig.key().as_ref(),
            token_mint.key().as_ref(),
            feed_account.key().as_ref(),
            price_update.key().as_ref()
            ],
        bump,
    )]
    wooracle: Account<'info, Wooracle>,
    #[account(mut)]
    admin: Signer<'info>,
    system_program: Program<'info, System>,
    /// CHECK: This is the Pyth feed account
    feed_account: AccountInfo<'info>,
    // Add this account to any instruction Context that needs price data.
    // Warning:
    // users must ensure that the account passed to their instruction is owned by the Pyth pull oracle program.
    // Using Anchor with the Account<'info, PriceUpdateV2> type will automatically perform this check.
    // However, if you are not using Anchor, it is your responsibility to perform this check.
    price_update: Account<'info, PriceUpdateV2>,

    quote_token_mint: Account<'info, Mint>,
    /// CHECK: This is the Quote token's pyth feed account
    quote_feed_account: AccountInfo<'info>,
    // Add this account to any instruction Context that needs price data.
    // Warning:
    // users must ensure that the account passed to their instruction is owned by the Pyth pull oracle program.
    // Using Anchor with the Account<'info, PriceUpdateV2> type will automatically perform this check.
    // However, if you are not using Anchor, it is your responsibility to perform this check.
    quote_price_update: Account<'info, PriceUpdateV2>,
}

Tool used

Anchor

Recommendation

#[account(
    constraint = authority.key() == wooconfig.authority || wooconfig.admin_authority.contains(&authority.key())
)]
pub wooconfig: Box<Account<'info, WooConfig>>,

[toprince]

same with https://github.com/sherlock-audit/2024-08-woofi-solana-deployment-judging/issues/54