Plain Corduroy Goblin - Attacker will drain vault assets through token validation bypass

[sherlock-admin2]

Plain Corduroy Goblin

High

Attacker will drain vault assets through token validation bypass

Summary

Missing validation between deposit_token and allowed_token.mint_account will cause a complete loss of assets for the vault as attackers will deposit worthless tokens using legitimate token hashes.

Root Cause

In deposit.rs the deposit_token account lacks validation against allowed_token.mint_account, allowing any token mint to be used when correct token hash is provided.

https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/instructions/vault_instr/deposit.rs#L49

pub struct Deposit<'info> {
    #[account()]  // Missing validation here
    pub deposit_token: Box<Account<'info, Mint>>,

    #[account(
        seeds = [TOKEN_SEED, deposit_params.token_hash.as_ref()],
        bump = allowed_token.bump,
        constraint = allowed_token.allowed == true @ VaultError::TokenNotAllowed
    )]
    pub allowed_token: Box<Account<'info, AllowedToken>>,
}

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

1. Attacker observes legitimate token hash from blockchain explorer or AllowedToken account query
2. Attacker creates worthless token mint M2
3. Attacker calls deposit() with: token_hash = legitimate_token_hash deposit_token = M2 address
4. System validates token_hash against AllowedToken but never checks deposit_token matches allowed_token.mint_account
5. Attacker's worthless tokens are accepted as if they were legitimate tokens
6. Attacker can now withdraw legitimate tokens from vault

Impact

The vault suffers potential complete loss of legitimate token assets. The attacker gains all withdrawn legitimate tokens while only spending worthless self-created tokens.

PoC

No response

Mitigation

No response