Nice Hemp Raccoon - When a PDA (Program Derived Address) is required to perform signing operations but invoke_signed is not used, the transaction will fail #170
let oapp_signer = ctx.accounts.oapp_config.key();
ctx.accounts.oapp_config.init(
params.endpoint_program,
params.admin,
ctx.remaining_accounts,
oapp_signer,
)
However, the PDA (Program Derived Address), which is the address of oapp_config, cannot directly sign transactions because it does not have a private key. To enable a PDA to sign operations that require a signature, you must use the invoke_signed method and provide the correct seed and bump values.
Root Cause
No response
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
No response
PoC
No response
Mitigation
In the init method of oapp_config, ensure that you’re using invoke_signed to perform actions that require the PDA to sign.
Nice Hemp Raccoon
High
When a PDA (Program Derived Address) is required to perform signing operations but invoke_signed is not used, the transaction will fail
Summary
https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/instructions/oapp_instr/init_oapp.rs#L31 your apply function, you are attempting to call the init method of oapp_config and passing oapp_signer as the signer:
However, the PDA (Program Derived Address), which is the address of oapp_config, cannot directly sign transactions because it does not have a private key. To enable a PDA to sign operations that require a signature, you must use the invoke_signed method and provide the correct seed and bump values.
Root Cause
No response
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
No response
PoC
No response
Mitigation
In the init method of oapp_config, ensure that you’re using invoke_signed to perform actions that require the PDA to sign.