The CreatePool and CreateWooracle functions lack sufficient permission verification, allowing anyone to create new pools.
This could lead to very serious issues, such as malicious users creating pools with incorrect oracle price information. These malicious pools could swap with admin-created pools and siphon off funds from the contract.
Users could also perform dos attacks by manipulating the creation of new pools by the admin(because pool and oracles is PDA).
Vulnerability Detail
#[derive(Accounts)]
pub struct CreateWooracle<'info> {
pub wooconfig: Box<Account<'info, WooConfig>>,
pub token_mint: Account<'info, Mint>,
#[account(
init,
payer = admin,
space = 8 + Wooracle::INIT_SPACE,
seeds = [
WOORACLE_SEED.as_bytes(),
wooconfig.key().as_ref(),
token_mint.key().as_ref(),
feed_account.key().as_ref(),
price_update.key().as_ref()
],
bump,
)]
wooracle: Account<'info, Wooracle>,
#[account(mut)]
admin: Signer<'info>,
system_program: Program<'info, System>,
/// CHECK: This is the Pyth feed account
feed_account: AccountInfo<'info>,
// Add this account to any instruction Context that needs price data.
// Warning:
// users must ensure that the account passed to their instruction is owned by the Pyth pull oracle program.
// Using Anchor with the Account<'info, PriceUpdateV2> type will automatically perform this check.
// However, if you are not using Anchor, it is your responsibility to perform this check.
price_update: Account<'info, PriceUpdateV2>,
quote_token_mint: Account<'info, Mint>,
/// CHECK: This is the Quote token's pyth feed account
quote_feed_account: AccountInfo<'info>,
// Add this account to any instruction Context that needs price data.
// Warning:
// users must ensure that the account passed to their instruction is owned by the Pyth pull oracle program.
// Using Anchor with the Account<'info, PriceUpdateV2> type will automatically perform this check.
// However, if you are not using Anchor, it is your responsibility to perform this check.
quote_price_update: Account<'info, PriceUpdateV2>,
}
The transaction context above lacks a check to verify if the signer is an authorized user of Wooconfig, which allows anyone to create new pools
Malicious actors can create harmful pools to swap with the system's pools, for example, by creating a pool for a base token that provides correct quote tokens but delivers incorrect price information. This allows them to profit by swapping with existing legitimate pools.
Impact
The admin's operation to create new pools may be subject to attacks.
Malicious actors can create harmful pools to swap with legitimate pools, leading to potential financial losses for the protocol.
Fresh Pineapple Dalmatian
High
Allow anyone to create new Wooracles and Woopools
Summary
The CreatePool and CreateWooracle functions lack sufficient permission verification, allowing anyone to create new pools.
This could lead to very serious issues, such as malicious users creating pools with incorrect oracle price information. These malicious pools could swap with admin-created pools and siphon off funds from the contract.
Users could also perform dos attacks by manipulating the creation of new pools by the admin(because pool and oracles is PDA).
Vulnerability Detail
The transaction context above lacks a check to verify if the signer is an authorized user of Wooconfig, which allows anyone to create new pools
Malicious actors can create harmful pools to swap with the system's pools, for example, by creating a pool for a base token that provides correct quote tokens but delivers incorrect price information. This allows them to profit by swapping with existing legitimate pools.
Impact
Code Snippet
https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/1c4c9c622e8c44ae2f8cd4219c7c2a0181f25ca0/WOOFi_Solana/programs/woofi/src/instructions/admin/create_wooracle.rs#L43 https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/1c4c9c622e8c44ae2f8cd4219c7c2a0181f25ca0/WOOFi_Solana/programs/woofi/src/instructions/admin/create_pool.rs#L8
Tool used
Manual Review
Recommendation