token accounts are not verified against token_hash
Summary
In Solana vault's deposit and withdraw flows token accounts are not verified against token_hash, this makes it possible for an attacker to withdraw from or deposit to the vault any token but make it seem like its any other token.
Attacker calls deposit with usdc_hash, for token accounts attacker chooses some other token that is worth less than usdc, but for the protocol it will seem an amount of usdc was deposited to the vault.
After deposit process is done, withdrawal process can take place with the same parameters but this time specifying usdc accounts, attacker profits.
This attack path assumes some amount of usdc is already deposited to the vault.
Impact
Loss of funds.
PoC
No response
Mitigation
deposit_token should be checked against the token_hash parameter.
Dandy Lavender Terrier
High
token accounts are not verified against token_hash
Summary
In Solana vault's deposit and withdraw flows token accounts are not verified against token_hash, this makes it possible for an attacker to withdraw from or deposit to the vault any token but make it seem like its any other token.
Root Cause
In
oapp_lz_receive.rsanddeposit.rs,deposit_tokenaccount is not checked againtstoken_hashparameter, token accounts are not included in the message either.: https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/instructions/oapp_instr/oapp_lz_receive.rs#L10-L146 https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/instructions/vault_instr/deposit.rs#L20-L176Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
Impact
Loss of funds.
PoC
No response
Mitigation
deposit_tokenshould be checked against the token_hash parameter.