admin can change permission for broker hash and token hash and both of them will be checked in deposit function but token hash and broker hash wouldn't check in lzReceive function and this causes even when admin set a token as disallowed still message for that be processed
PoC
Textual PoC:
lets assume admin set usdc as a allowed token and users deposit their assets in solana vault and after a while admin decide to disallowed usdc for a while but users can withdraw their assets because token hash and broker hash from received message wouldn't be check in lzReceive instruction
Petite Pecan Starfish
Medium
users can withdraw disallowed tokens
Summary
users can withdraw disallowed tokens
Root Cause
admin can change permission for broker hash and token hash and both of them will be checked in deposit function but token hash and broker hash wouldn't check in lzReceive function and this causes even when admin set a token as disallowed still message for that be processed
PoC
Textual PoC: lets assume admin set usdc as a allowed token and users deposit their assets in solana vault and after a while admin decide to disallowed usdc for a while but users can withdraw their assets because token hash and broker hash from received message wouldn't be check in lzReceive instruction
Code Snippet
https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/instructions/oapp_instr/oapp_lz_receive.rs#L75
Impact
users can withdraw disallowed tokens
Mitigation
consider to check token hash and broker hash in received message