The wooracles/woopools can be initialized by anyone, which can lead to DOS of pools because only one oracle/pool account exist for a certain pair of token_mint and quote_token_mint.
Vulnerability Detail
Any address may intialize an oracle and a pool for a specific token_mint and quote_token_mint pair, which will make the said pool unusable by the protocol because the authority (a malicious actor) will be able to withdraw any tokens deposited to the pool by the config’s woopool_admin_authority . The issue arises because the signer of the instruction gets declared as admin and there is no check that this signer is indeed the admin of the protocol.
Impact
Protocol’s pool will be unusable, which will lead to redeployment of the program to a new account if the team wants to expand their pools to the ones that are currently compromised.
Proud Wintergreen Butterfly
High
Possible DOS of pools leading
Summary
The wooracles/woopools can be initialized by anyone, which can lead to DOS of pools because only one oracle/pool account exist for a certain pair of
token_mint
andquote_token_mint
.Vulnerability Detail
Any address may intialize an oracle and a pool for a specific
token_mint
andquote_token_mint
pair, which will make the said pool unusable by the protocol because the authority (a malicious actor) will be able to withdraw any tokens deposited to the pool by the config’swoopool_admin_authority
. The issue arises because the signer of the instruction gets declared as admin and there is no check that this signer is indeed the admin of the protocol.Impact
Protocol’s pool will be unusable, which will lead to redeployment of the program to a new account if the team wants to expand their pools to the ones that are currently compromised.
Code Snippet
wooracle’s initialization woopool’s initialization sherlock-bot doesn't detect my references-ignore
Tool used
Manual Review
Recommendation
Implement access control, add a constraint that the signer of the instruction is the wooconfig’s
authority
.