Missing Conditional Registration for New LayerZero Endpoint on OApp Reinitialization May Cause Call Failures
Summary
The OApp reinitialization process lacks a conditional registration for newly configured LayerZero endpoints, leading to potential call failures if a new endpoint is specified. The LayerZero endpoint should only be registered once, but if reinitialization configures a new endpoint, registration does not occur, causing calls to fail due to the endpoint’s unregistered status.
In LayerZero's example implementation, endpoint registration occurs during initial setup, ensuring valid communication paths. The OApp, however, does not re-register if a new endpoint is added during reinitialization, leaving it unverified and potentially inactive.
Internal pre-conditions
The OApp undergoes reinitialization with a new LayerZero endpoint configured.
The reinitialization process does not trigger conditional registration for the new endpoint
External pre-conditions
The user reinitializes the OApp and configures a different LayerZero endpoint from the original.
There is no external mechanism to enforce registration of this newly configured endpoint.
Attack Path
The OApp is reinitialized, and a new LayerZero endpoint is configured without triggering registration.
Calls to LayerZero fail due to the unregistered status of the newly added endpoint, impacting OApp functionality.
Impact
The OApp may experience disruptions as calls to an unregistered, newly configured LayerZero endpoint fail. This missing conditional registration step for new endpoints affects cross-chain communication, leading to potential call failures and limited protocol usability.
Original Emerald Millipede
High
Missing Conditional Registration for New LayerZero Endpoint on OApp Reinitialization May Cause Call Failures
Summary
The OApp reinitialization process lacks a conditional registration for newly configured LayerZero endpoints, leading to potential call failures if a new endpoint is specified. The LayerZero endpoint should only be registered once, but if reinitialization configures a new endpoint, registration does not occur, causing calls to fail due to the endpoint’s unregistered status.
Root Cause
During OApp reinitialization, there is no check to register a new LayerZero endpoint if the configuration has changed. The initial setup registers the endpoint correctly, but reinitialization does not trigger registration if a different endpoint is introduced. https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/state/oapp_state/oapp_config.rs#L32-L41
https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/instructions/oapp_instr/reinit_oapp.rs#L29-L46
xample:
In LayerZero's example implementation, endpoint registration occurs during initial setup, ensuring valid communication paths. The OApp, however, does not re-register if a new endpoint is added during reinitialization, leaving it unverified and potentially inactive.
Internal pre-conditions
External pre-conditions
Attack Path
Impact
The OApp may experience disruptions as calls to an unregistered, newly configured LayerZero endpoint fail. This missing conditional registration step for new endpoints affects cross-chain communication, leading to potential call failures and limited protocol usability.
PoC
No response
Mitigation
No response