Fit Canvas Pangolin - In the _lzSend() function call, the _refundAddress is incorrectly set to address(this).

[sherlock-admin2]

Fit Canvas Pangolin

High

In the _lzSend() function call, the _refundAddress is incorrectly set to address(this).

Summary

In the _lzSend() function call, the _refundAddress is incorrectly set to address(this).

Root Cause

https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/sol-cc/contracts/SolConnector.sol#L97

   function withdraw(WithdrawDataSol calldata _withdrawData) external onlyLedger {
        AccountWithdrawSol memory withdrawData = AccountWithdrawSol(
            Utils.getSolAccountId(_withdrawData.sender, _withdrawData.brokerId),
            _withdrawData.sender,
            _withdrawData.receiver,
            Utils.calculateStringHash(_withdrawData.brokerId),
            Utils.calculateStringHash(_withdrawData.tokenSymbol),
            _withdrawData.tokenAmount,
            _withdrawData.fee,
            _withdrawData.chainId,
            _withdrawData.withdrawNonce
        );

        bytes memory payload = MsgCodec.encodeWithdrawPayload(withdrawData);
        bytes memory lzWithdrawMsg = MsgCodec.encodeLzMsg(uint8(MsgCodec.MsgType.Withdraw), payload);
        bytes memory withdrawOptions = OptionsBuilder.newOptions().addExecutorLzReceiveOption(
            msgOptions[uint8(MsgCodec.MsgType.Withdraw)].gas,
            msgOptions[uint8(MsgCodec.MsgType.Withdraw)].value
        );
        MessagingFee memory _msgFee = _quote(solEid, lzWithdrawMsg, withdrawOptions, false);
@>>        _lzSend(solEid, lzWithdrawMsg, withdrawOptions, _msgFee, address(this));
    }

When a user withdraws their funds, they pay the LayerZero gas fee. Any remaining gas fee should be refunded to the user rather than being retained in the contract.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

The user loses the remaining gas fees.

PoC

No response

Mitigation

Set _refundAddress to the user’s address