Fees is not tabulated properly in oapp_lz_receive.rs
Summary
In oapp_lz_receive.rs, the fees is calculated through the withdraw params, and is deducted from the actual token amount to be transferred to the user. amount_to_transfer = withdraw_params.token_amount - withdraw_params.fee;
This leaves the fee amount in the vault_deposit_wallet. With many messages that are being received, vault_deposit_wallet will not know how much fees are collected.
Root Cause
In oapp_lz_receive, the actual amount to transfer to the user is the amount minus fees.
transfer_token_ctx transfers funds from the vault_deposit_wallet to the user_deposit_wallet, which means that vault_deposit_wallet holds both the funds and the fees.
fn transfer_token_ctx(&self) -> CpiContext<'_, '_, '_, 'info, Transfer<'info>> {
let cpi_accounts = Transfer {
from: self.vault_deposit_wallet.to_account_info(),
to: self.user_deposit_wallet.to_account_info(),
authority: self.vault_authority.to_account_info(),
};
let cpi_program = self.token_program.to_account_info();
CpiContext::new(cpi_program, cpi_accounts)
}
The fees is left in the vault_deposit_wallet account, but it is not stored as a value.
vault_deposit_wallet account owner will not know the actual amount of fees being collected.
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
Fees are not calculated and tabulated, the owner will not know how much fees is collected at any point in time.
PoC
No response
Mitigation
Have another variable that tracks the fees amount for every message received.
Droll Cider Armadillo
Medium
Fees is not tabulated properly in oapp_lz_receive.rs
Summary
In
oapp_lz_receive.rs, the fees is calculated through the withdraw params, and is deducted from the actual token amount to be transferred to the user.amount_to_transfer = withdraw_params.token_amount - withdraw_params.fee;This leaves the fee amount in the
vault_deposit_wallet. With many messages that are being received,vault_deposit_walletwill not know how much fees are collected.Root Cause
In oapp_lz_receive, the actual amount to transfer to the user is the amount minus fees.
transfer_token_ctxtransfers funds from thevault_deposit_walletto theuser_deposit_wallet, which means thatvault_deposit_walletholds both the funds and the fees.The fees is left in the
vault_deposit_walletaccount, but it is not stored as a value.vault_deposit_walletaccount owner will not know the actual amount of fees being collected.Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
Fees are not calculated and tabulated, the owner will not know how much fees is collected at any point in time.
PoC
No response
Mitigation
Have another variable that tracks the fees amount for every message received.