deposit function get broker hash and account id as parameter from user and just broker hash will be validated and malicious user can bypass allowed brokers
Textual PoC:
1-A broker has been allowed by admin with set_broker instruction
2-account id has been generated with B broker which is disallowed broker
3-A broker hash and account id which made from disallowed broker will be passed to deposit function by malicious user
in result deposit function will be executed successfully
please run commands based on readme and then replace 05deposit_vault.ts with provided PoC and as u can see account id has been generated based on a disallowed broker
Coded PoC:
Petite Pecan Starfish
High
malicious user can bypass allowed broker hash
Summary
malicious user can bypass allowed broker hash
Root Cause
deposit function get broker hash and account id as parameter from user and just broker hash will be validated and malicious user can bypass allowed brokers
Code Snippet
https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/instructions/vault_instr/deposit.rs#L82
PoC
Textual PoC: 1-A broker has been allowed by admin with set_broker instruction 2-account id has been generated with B broker which is disallowed broker 3-A broker hash and account id which made from disallowed broker will be passed to deposit function by malicious user in result deposit function will be executed successfully please run commands based on readme and then replace 05deposit_vault.ts with provided PoC and as u can see account id has been generated based on a disallowed broker Coded PoC:
PoC
```typescript import * as anchor from "@coral-xyz/anchor"; import { Keypair, PublicKey, SystemProgram, Transaction, ComputeBudgetProgram, sendAndConfirmTransaction } from "@solana/web3.js"; import { hexlify } from '@ethersproject/bytes' import { OftTools } from "@layerzerolabs/lz-solana-sdk-v2"; import { Options } from "@layerzerolabs/lz-v2-utilities"; import * as utils from "./utils"; import * as constants from "./constants"; import { PacketPath } from '@layerzerolabs/lz-v2-utilities' import { EndpointProgram, EventPDADeriver, SimpleMessageLibProgram, UlnProgram } from '@layerzerolabs/lz-solana-sdk-v2' import OAppIdl from "../target/idl/solana_vault.json"; import { SolanaVault } from "../target/types/solana_vault"; import { utf8 } from "@coral-xyz/anchor/dist/cjs/utils/bytes"; const OAPP_PROGRAM_ID = new PublicKey(OAppIdl.metadata.address); const OAppProgram = anchor.workspace.SolanaVault as anchor.ProgramImpact
malicious user can bypass disallowed brokers
Mitigation
consider to validate account id in both side