You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The wooracles/woopools can be initialized by anyone, which can lead to DOS of pools because only one oracle/pool account exist for a certain pair of token_mint and quote_token_mint.
Vulnerability Detail
Any address may intialize an oracle and a pool for a specific token_mint and quote_token_mint pair, which will make the said pool unusable by the protocol because the authority (a malicious actor) will be able to withdraw any tokens deposited to the pool by the config’s woopool_admin_authority . The issue arises because the signer of the instruction gets declared as admin and there is no check that this signer is indeed the admin of the protocol.
Impact
Protocol’s pool will be unusable, which will lead to redeployment of the program to a new account if the team wants to expand their pools to the ones that are currently compromised.
Proud Wintergreen Butterfly
High
Possible DOS of pools leading
Summary
The wooracles/woopools can be initialized by anyone, which can lead to DOS of pools because only one oracle/pool account exist for a certain pair of
token_mint
andquote_token_mint
.Vulnerability Detail
Any address may intialize an oracle and a pool for a specific
token_mint
andquote_token_mint
pair, which will make the said pool unusable by the protocol because the authority (a malicious actor) will be able to withdraw any tokens deposited to the pool by the config’swoopool_admin_authority
. The issue arises because the signer of the instruction gets declared as admin and there is no check that this signer is indeed the admin of the protocol.Impact
Protocol’s pool will be unusable, which will lead to redeployment of the program to a new account if the team wants to expand their pools to the ones that are currently compromised.
Code Snippet
wooracle’s initialization
woopool’s initialization
sherlock-bot doesn't detect my references-ignore
Tool used
Manual Review
Recommendation
Implement access control, add a constraint that the signer of the instruction is the wooconfig’s
authority
.The text was updated successfully, but these errors were encountered: