search

sherlock-audit / 2024-09-orderly-network-solana-contract-judging

0 stars 0 forks source link

Droll Cider Armadillo - sequential messaging in oapp_lz_receive can be easily attacked #144

Open sherlock-admin3 opened 4 days ago

sherlock-admin3 commented 4 days ago

Droll Cider Armadillo

Medium

sequential messaging in oapp_lz_receive can be easily attacked

Summary

oapp_lz_receive.rs uses sequential messaging when receiving messages through lzReceive(). If vault_authority.order_delivery is turned on, messages can only come in order.

There are a few ways the messaging sequence can fail, such as:

  1. Having too little tokens in vault_deposit_wallet.
  2. user_deposit_wallet not initialized.
  3. If either accounts are frozen.
  4. Too little gas available.

When the messaging sequence fail, other messages cannot pass, making the whole messaging system fail.

Root Cause

In oapp_lz_receive.apply, one of the params of OAppLzReceiveParams is nonce. This nonce is used when order_delivery is set to true.

        if ctx.accounts.vault_authority.order_delivery {
            require!(
                params.nonce == ctx.accounts.vault_authority.inbound_nonce + 1,
                OAppError::InvalidInboundNonce
            );
        }

In the LayerZero example, nonce is not used for sequential messaging.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

If one message fails, all subsequent messages cannot be read.

Setting severity as Medium as order_delivery can always be turned off.

PoC

No response

Mitigation

Best is to allow out of order execution as messaging sequence can be easily disrupted.