Actor can frontrun lz_receive and steal users’ withdrawal
Summary
Missing receiver check will cause the lz_receive to be frontrunnable as malicious actors will be able to call it with any user_deposit_wallet.
Root Cause
In oapp_lz_receive:111 there is a missing check of receiver and user_deposit_wallet's authority, which allows lz_receive to be called with a user_deposit_wallet that doesn't belong to the receiver.
Internal pre-conditions
Non needed
External pre-conditions
The PDA payload_hash of layerzero’s endpoint has to be set, in order for the following require statement to pass.
Magnificent Cerulean Tardigrade
Medium
Actor can frontrun lz_receive and steal users’ withdrawal
Summary
Missing
receivercheck will cause thelz_receiveto be frontrunnable as malicious actors will be able to call it with anyuser_deposit_wallet.Root Cause
In oapp_lz_receive:111 there is a missing check of
receiveranduser_deposit_wallet's authority, which allowslz_receiveto be called with auser_deposit_walletthat doesn't belong to thereceiver.Internal pre-conditions
Non needed
External pre-conditions
payload_hashof layerzero’s endpoint has to be set, in order for the followingrequirestatement to pass.lz_receiveAttack Path
lz_receivewith the sameparamsandaccountsexcept theuser_deposit_walletwhich will be the attacker’s token account.Impact
The user which initiated the withdrawal process suffers a loss equal to the withdrawal amount requested.
PoC
No response
Mitigation
Add a check that the
user_deposit_wallet’s authority is equal to thereceiver.