Attacker can steal funds by withdrawing a token different from the request withdrawal token
Summary
The solana_vault::lz_receive function does not the check that the deposit_token mint account is the token mint corresponding to the token_hash in the withdrawal message being processed. An attacker can supply different token mint as the deposit_token mint account than in the message. The vault would transfer these tokens instead of the actual tokens.
Essentially, an attacker withdraws one token on the Orderly chain and receives a different token of same amount on Solana side. Attacker profits from the difference in the value of the two accounts.
The LayerZero V2 separates the delivery and execution of the messages. As a result, anyone can call solana_vault::lz_receive function once the withdrawal message has been verified by LZ DVN's and has been delivered.
This allows an attacker to call lz_receive with their own accounts and the verified message.
Root Cause
The solana_vault::lz_receive instruction does not check deposit_token account is the mint account corresponding to the token_hash in the withdrawal message.
Radiant Punch Dalmatian
Medium
Attacker can steal funds by withdrawing a token different from the request withdrawal token
Summary
The
solana_vault::lz_receivefunction does not the check that thedeposit_tokenmint account is the token mint corresponding to thetoken_hashin the withdrawal message being processed. An attacker can supply different token mint as thedeposit_tokenmint account than in the message. The vault would transfer these tokens instead of the actual tokens.Essentially, an attacker withdraws one token on the Orderly chain and receives a different token of same amount on Solana side. Attacker profits from the difference in the value of the two accounts.
The LayerZero V2 separates the delivery and execution of the messages. As a result, anyone can call
solana_vault::lz_receivefunction once the withdrawal message has been verified by LZ DVN's and has been delivered.This allows an attacker to call
lz_receivewith their own accounts and the verified message.Root Cause
The
solana_vault::lz_receiveinstruction does not checkdeposit_tokenaccount is themintaccount corresponding to thetoken_hashin the withdrawal message.https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/instructions/oapp_instr/oapp_lz_receive.rs#L56-L57
Internal pre-conditions
vault_authorityowns more than one token, USDC and some X.This is possible if
solana_vaultadds support for tokens other than USDC as indicated by code comments:https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/state/oapp_state/oapp_config.rs#L11-L13
External pre-conditions
No response
Attack Path
solana_vaulthas collected deposits of 1 million USDC.vault_authorityowns 1 million USDCOAppis reinitialized withXtoken that has6decimals and value of0.5USD.Xtokens and the ledger is updated.XtokensSolConnectorsends the withdrawal message.lz_receivefunction with the verified message but setsdeposit_tokenmint to the USDC mint and the ATA accounts to the USDC mint accountsImpact
Attacker can steal protocol tokens
PoC
No response
Mitigation
No response