The missing validation of deposit_token in the deposit instruction within the Orderly Vaults implementation allows attackers to deposit arbitrary tokens, potentially leading to unauthorized fund transfers across chains. Based on the LayerZero OFT model, which verifies token_mint during send instructions, Orderly Vaults should similarly validate token_mint in the deposit instruction to prevent unauthorized tokens from being deposited and transferred.
The deposit instruction in Orderly Vaults is called without deposit_token validation.
The user submits arbitrary token data in DepositParams, which is not checked against expected tokens.
External pre-conditions
The user has access to the deposit function in Orderly Vaults and can submit tokens for cross-chain transfers.
No external validation mechanism exists to ensure deposit_token is the expected token for deposits.
Attack Path
The attacker initiates a deposit call in Orderly Vaults, providing DepositParams with an arbitrary token account.
Without deposit_token validation, the deposit is accepted, allowing the attacker to bypass expected token requirements.
The attacker sends the unvalidated tokens across chains via Orderly Vaults, potentially resulting in unauthorized fund transfers.
Impact
Orderly Vaults could suffer losses as unauthorized tokens are deposited and transferred across chains. This vulnerability allows users to send arbitrary tokens that are not verified against deposit_token, which can lead to misuse of the cross-chain transfer mechanism and potential fund siphoning.
Original Emerald Millipede
High
[High] Missing
deposit_tokenValidation in Orderly Vaults deposit Instruction Allows Unauthorized Cross-Chain TransfersSummary
The missing validation of
deposit_tokenin the deposit instruction within the Orderly Vaults implementation allows attackers to deposit arbitrary tokens, potentially leading to unauthorized fund transfers across chains. Based on the LayerZero OFT model, which verifiestoken_mintduring send instructions, Orderly Vaults should similarly validate token_mint in the deposit instruction to prevent unauthorized tokens from being deposited and transferred.Root Cause
The design of the deposit instruction in Orderly Vaults does not validate
deposit_token, allowing it to act as a free account rather than verifying it as the intended token. Without validation, arbitrary tokens can be deposited and processed for cross-chain transfers, compromising the security of the Orderly Vaults system. https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/instructions/vault_instr/deposit.rs#L49Internal pre-conditions
deposit_tokenvalidation.External pre-conditions
deposit_tokenis the expected token for deposits.Attack Path
DepositParamswith an arbitrary token account.deposit_tokenvalidation, the deposit is accepted, allowing the attacker to bypass expected token requirements.Impact
Orderly Vaults could suffer losses as unauthorized tokens are deposited and transferred across chains. This vulnerability allows users to send arbitrary tokens that are not verified against
deposit_token, which can lead to misuse of the cross-chain transfer mechanism and potential fund siphoning.PoC
No response
Mitigation
No response