davidkathoh - Missing Fee Validation in Token Withdrawal

[sherlock-admin3]

davidkathoh

Medium

Missing Fee Validation in Token Withdrawal

Summary

The token withdrawal implementation lacks proper validation of fee amounts against token amounts, which could lead to arithmetic underflow and potential loss of funds.

Root Cause

In the oapp_lz_receive.rs:117 the withdrawl logic performs unchecked substraction:

https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/instructions/oapp_instr/oapp_lz_receive.rs#L117-L123

Internal pre-conditions

1. VaultAuthority needs to be initialized with proper PDA seeds and bump
2. user_deposit_wallet and vault_deposit_wallet need to be properly initialized Associated Token Accounts
3. Vault needs to have sufficient token balance to process withdrawals

External pre-conditions

1. LayerZero message needs to be properly formatted and contain withdrawal parameters
2. Cross-chain message needs to be successfully delivered and processed by LayerZero endpoint

Attack Path

1. Attacker crafts a malicious LayerZero message with fee greater than token_amount
2. Message is sent through LayerZero to solana chain
3. Message arrives and passes message validation checks
4. Withdrawal processing begins and attempts to subtract fee from token amount
5. This scenario occurs: If fee > token_amount: Arithmetic underflow causes transaction to fail or withdraw more from the vault

Impact

The protocol suffers a critical loss of funds due to arithmetic underflow in amount_to_transfer calculation. When fee > token_amount, the subtraction operation token_amount - fee will underflow , resulting in a very large number .
Example:

If token_amount = 100 and fee = 101
amount_to_transfer = token_amount - fee
In u64:100 - 101underflows to 18446744073709551615 (2^64 - 1)
The attacker can withdraw this massive amount of tokens from the vault

PoC

No response

Mitigation

No response