Missing Constraint for payer Account in oapp_lz_receive.rs
Summary
The LzReceive struct lacks a constraint to restrict the payer account, allowing unauthorized entities to call this function. Although LzReceive is intended to be called exclusively by the endpoint to process cross-chain messages, the lack of an access control mechanism means that anyone can invoke it. For example, this enables an attacker to frontrun the endpoint and call this function with arbitrarily parameters, potentially leading to loss of funds.
1- An Orderly user sends a withdraw request to ledger
2- The ledger will check if the user and the vault on Solana have the enough balance for withdraw, if yes then a withdraw message will be sent to Solana to trigger that token transfer.
3- An attacker observed that transaction and frontrun LzReceive at Solana chain with his arbitrarily parameters.
4- For example the attacker can send a different token_amount an drain the vault.
Impact
Anyone can call LzReceive at Solana chain and perform a DoS attack or cause loss of funds.
PoC
No response
Mitigation
To mitigate this, implement a constraint on the payer account, restricting it to endpoint account.
Raspy Seaweed Bear
High
Missing Constraint for payer Account in oapp_lz_receive.rs
Summary
The LzReceive struct lacks a constraint to restrict the
payeraccount, allowing unauthorized entities to call this function. Although LzReceive is intended to be called exclusively by the endpoint to process cross-chain messages, the lack of an access control mechanism means that anyone can invoke it. For example, this enables an attacker to frontrun the endpoint and call this function with arbitrarily parameters, potentially leading to loss of funds.Root Cause
Cross chain message receive functionality at the destination chain should be called only by LayerZero endpoint with valid parameters sent from the source chain. This requirement is met in OAppReceiverUpgradeable.sol and SolConnector.sol: https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/sol-cc/contracts/layerzerolabs/lz-evm-oapp-v2/contracts/oapp/OAppReceiverUpgradeable.sol#L101-L116
In oapp_lz_receive.rs,
applyis a public function that can be called by anyone since there is a missing constraint for account payer: https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/instructions/oapp_instr/oapp_lz_receive.rs#L13-L62Internal pre-conditions
none
External pre-conditions
none
Attack Path
1- An Orderly user sends a withdraw request to ledger 2- The ledger will check if the user and the vault on Solana have the enough balance for withdraw, if yes then a withdraw message will be sent to Solana to trigger that token transfer. 3- An attacker observed that transaction and frontrun LzReceive at Solana chain with his arbitrarily parameters. 4- For example the attacker can send a different token_amount an drain the vault.
Impact
Anyone can call LzReceive at Solana chain and perform a DoS attack or cause loss of funds.
PoC
No response
Mitigation
To mitigate this, implement a constraint on the payer account, restricting it to endpoint account.