Helpful Jetblack Snake - A malicious user could profit by front-running the set_price_handler().

[sherlock-admin3]

Helpful Jetblack Snake

Medium

A malicious user could profit by front-running the set_price_handler().

Summary

A malicious user could profit by front-running the set_price_handler().

Vulnerability Detail

pub fn set_price_handler(ctx: Context<SetWooStateOnlyAdmin>, price: u128) -> Result<()> {
    let wooracle = &mut ctx.accounts.wooracle;
    wooracle.update_spread_for_new_price(price)?;
    wooracle.update_price(price)?;
    wooracle.update_now()
}

The README provides the following information regarding price:

“We have an offchain script, posting the prices of supported tokens (SOL, USDT, etc.) to the Wooracle contract on Solana.”

Therefore, the prices for user transactions primarily come from the prices set by the script.

For example, when the SOL/USDT price increases—if the current oracle price is 100 USD, and the script sets the price to 101 USD—a SOL buyer could profit by front-running the set_price_handler().

Similarly, when the SOL/USDT price decreases—if the current oracle price is 100 USD, and the script sets the price to 99 USD—a SOL seller could profit by front-running the set_price_handler().

Although the get_price_impl() function compares the wooracle.price with the Pyth oracle to prevent the wooracle.price from deviating too much from Pyth’s price, there is still considerable profit potential. For example, if the price difference is 1%, a difference of 1000 USD could still result in a profit of 10 USD.

Impact

A malicious user could profit

Code Snippet

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/admin/set_woo_state.rs#L58

Tool used

Manual Review

Recommendation

Consider executing trades at the market price from pyth oracle.