Arbitrary permission initialization of wooracle contract
Summary
The Wooracle contract in the WOOFi program can be initialized by anyone by calling the , allowing for potential misuse by malicious users. This flaw enables unauthorized actors to create fraudulent oracle instances using the official contract, leading to potential abuse and exploitation of the WOOFi infrastructure by calling the create_wooracle,
Vulnerability Detail
The code in question allows the Wooracle to be initialized without adequate authorization checks, as seen in the create_wooracle.rs file. Specifically, any user can invoke the create_wooracle function, enabling them to initialize a new instance of the oracle contract, even if they are not an authorized admin or associated with the WOOFi team.
The vulnerability exists because there is no validation of the admin or authority account passed during the initialization process. This lack of restrictions allows anyone to create a new oracle instance, bypassing proper administrative controls.
Attack scnerio: Attacker can create any wooconfig account with the same format and just pass on that account.
Create fake oracle contracts: Malicious actors could deploy fraudulent Wooracle instances using the official program, confusing or misleading other users.
Conduct fraudulent activities: These unauthorized oracle instances could be used to manipulate data or price feeds, potentially causing users to suffer financial losses.
Erode trust in the WOOFi system: The ability for anyone to initialize oracles may lead to a loss of trust in the reliability and integrity of the platform.
Code Snippet
pub struct CreateWooracle<'info> {
pub wooconfig: Box<Account<'info, WooConfig>>,
pub token_mint: Account<'info, Mint>,
#[account(
init,
payer = admin,
space = 8 + Wooracle::INIT_SPACE,
seeds = [
WOORACLE_SEED.as_bytes(),
wooconfig.key().as_ref(),
token_mint.key().as_ref(),
feed_account.key().as_ref(),
price_update.key().as_ref()
],
bump,
)]
wooracle: Account<'info, Wooracle>,
#[account(mut)]
admin: Signer<'info>,
system_program: Program<'info, System>,
/// CHECK: This is the Pyth feed account
feed_account: AccountInfo<'info>,
// Add this account to any instruction Context that needs price data.
// Warning:
// users must ensure that the account passed to their instruction is owned by the Pyth pull oracle program.
// Using Anchor with the Account<'info, PriceUpdateV2> type will automatically perform this check.
// However, if you are not using Anchor, it is your responsibility to perform this check.
price_update: Account<'info, PriceUpdateV2>,
quote_token_mint: Account<'info, Mint>,
/// CHECK: This is the Quote token's pyth feed account
quote_feed_account: AccountInfo<'info>,
// Add this account to any instruction Context that needs price data.
// Warning:
// users must ensure that the account passed to their instruction is owned by the Pyth pull oracle program.
// Using Anchor with the Account<'info, PriceUpdateV2> type will automatically perform this check.
// However, if you are not using Anchor, it is your responsibility to perform this check.
quote_price_update: Account<'info, PriceUpdateV2>,
}
Fluffy Burlap Lark
Medium
Arbitrary permission initialization of wooracle contract
Summary
The Wooracle contract in the WOOFi program can be initialized by anyone by calling the , allowing for potential misuse by malicious users. This flaw enables unauthorized actors to create fraudulent oracle instances using the official contract, leading to potential abuse and exploitation of the WOOFi infrastructure by calling the
create_wooracle
,Vulnerability Detail
The code in question allows the Wooracle to be initialized without adequate authorization checks, as seen in the create_wooracle.rs file. Specifically, any user can invoke the create_wooracle function, enabling them to initialize a new instance of the oracle contract, even if they are not an authorized admin or associated with the WOOFi team.
The vulnerability exists because there is no validation of the admin or authority account passed during the initialization process. This lack of restrictions allows anyone to create a new oracle instance, bypassing proper administrative controls.
Attack scnerio: Attacker can create any wooconfig account with the same format and just pass on that account.
https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/admin/create_wooracle.rs#L44C1-L45C1
Impact
Code Snippet
Tool used
Anchor
Recommendation