0rpse - lz_receive can be called with any user account to steal from users #158
Labels
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Comments
sherlock-admin3
added
the
Sponsor Confirmed
sherlock-admin4
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
0rpse
High
lz_receive can be called with any user account to steal from users
Summary
OApp's
lz_receiveinstruction is freely callable by anyone once the message gets verified. As user account in this instruction is not verified or included in the message, any user account can be specified for the instruction and the message would still go through, thus enabling withdrawal to any account.Root Cause
In
oapp_lz_receive.rslack of checks for user accounts that the tokens will be sent tohttps://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/instructions/oapp_instr/oapp_lz_receive.rs#L13-L146
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
After a message is verified and ready for execution, call
lz_receivewith arbitrary accounts to steal funds from vault.Impact
Users funds can be stolen.
PoC
No response
Mitigation
Either include user accounts in the message or include checks for the accounts in instruction handler.
The text was updated successfully, but these errors were encountered: