Abundant Walnut Rooster - Unchecked CPI Result in OApp Registration

[sherlock-admin2]

Abundant Walnut Rooster

Low/Info

Unchecked CPI Result in OApp Registration

Summary

Missing CPI result validation will cause initialization state inconsistency for the protocol as the OApp registration could silently fail while the initialization appears successful.

Root Cause

In oapp_config.rs:33, the registration CPI call result is not checked: https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/state/oapp_state/oapp_config.rs#L33-L41

Internal pre-conditions

1. OAppConfig account is being initialized
2. Any condition that could cause the CPI call to fail (insufficient funds, invalid accounts.)

External pre-conditions

1. LayerZero endpoint program is available but might reject the registration

Attack Path

Not an attack vector per se, but a vulnerability path:

1. User initiates OApp configuration
2. Internal state is set (admin, endpoint program)
3. CPI to register_oapp fails silently
4. OAppConfig appears initialized but registration is not complete
5. Subsequent operations expecting registration may fail

Impact

The protocol suffers from an inconsistent state where:

• OAppConfig shows as initialized
• But the OApp is not registered with LayerZero endpoint
• This creates a "zombie" configuration that appears valid but cannot process cross-chain messages
• Users need to reinitialize the OApp, wasting gas fees

PoC

No response

Mitigation

No response