The account is not verified, which may lead to self-transfers and cause vault assets to inflate

Summary

Using the /// CHECK annotation in conjunction with the unconstrained AccountInfo<'info> type bypasses Anchor's built-in security verification mechanisms, potentially triggering self-transfers and increasing the amount of USDC in the vault.

Root Cause

In oapp_lz_receive.rs:31-54:

   /// CHECK
    #[account()]
    pub user: AccountInfo<'info>,

    #[account(
        mut,
        associated_token::mint = deposit_token,
        associated_token::authority = user
    )]
    pub user_deposit_wallet: Account<'info, TokenAccount>,

    #[account(
        mut,
        seeds = [VAULT_AUTHORITY_SEED],
        bump = vault_authority.bump,
    )]
    pub vault_authority: Account<'info, VaultAuthority>,

    #[account(
        mut,
        associated_token::mint = deposit_token,
        associated_token::authority = vault_authority
    )]
    pub vault_deposit_wallet: Account<'info, TokenAccount>

creates a fake user:

let (vault_authority, _) = Pubkey::find_program_address(&[VAULT_AUTHORITY_SEED], ctx.program_id);

At this time, the associated_token::authority is the same. In oapp_lz_receive.rs:67-69:


            from: self.vault_deposit_wallet.to_account_info(),
            to: self.user_deposit_wallet.to_account_info(),
            authority: self.vault_authority.to_account_info()

Internal pre-conditions

The user has been set to vault_authority

External pre-conditions

None

Attack Path

Set user as vault_authority
Invoke theapply function

Impact

The number of USDC assets in the vault has inflated

PoC

No response

Mitigation

Verify that the user and ensure that the vault_deposit_wallet and user_deposit_wallet are different

sherlock-audit / 2024-09-orderly-network-solana-contract-judging

Jovial Lilac Sloth - The account is not verified, which may lead to self-transfers and cause vault assets to inflate #128