Tangy Mocha Fox - Withdrawn USDC from `SolanaVault` can be replaced with any token

[sherlock-admin3]

Tangy Mocha Fox

High

Withdrawn USDC from SolanaVault can be replaced with any token

Summary

There is no validation that the deposit_token account is USDC or the allowed_token when running lz_receive(). Anyone that runs lz_receive() on the withdrawal message can use a worthless token for deposit_token so the recipient gets that worthless token instead of USDC.

Root Cause

In oapp_lz_receive.rs::35-133, there is no validation that deposit_token is USDC or the allowed_token.

Internal pre-conditions

No response

External pre-conditions

1. A user withdraws USDC from a source chain to Solana.

Attack Path

1. The Attacker deploys a worthless token.
2. The Attacker then deposits the worthless token into SolanaVault so the vault_token_account is created.
3. Once the withdrawal message has been verified, the attacker executes it by calling lz_receive() on SolanaVault with the appropriate params for the target message. Typically, the Executor does this but it is open to anyone.
4. The Attacker passes a worthless deposit_token so the recipient receives the worthless token instead of USDC.

Note that is a different issue from the Attacker sending the tokens to themselves due to lacking validation on the user_deposit_wallet.

Impact

The withdrawer loses all their USDC in place of worthless tokens. There is no cost to the attacker apart from gas. This is a permanent loss of funds.

PoC

No response

Mitigation

Consider validating that the deposit_token is the allowed_token.