Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sh1v - Missing Conditional Registration for New LayerZero Endpoint on OApp Reinitialization May Cause Call Failures #167

Open
sherlock-admin2 opened this issue Oct 27, 2024 · 0 comments
Open

sh1v - Missing Conditional Registration for New LayerZero Endpoint on OApp Reinitialization May Cause Call Failures #167

sherlock-admin2 opened this issue Oct 27, 2024 · 0 comments
Labels
Sponsor Disputed The sponsor disputed this issue's validity

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Oct 27, 2024
edited by sherlock-admin4
Loading

sh1v

High

Missing Conditional Registration for New LayerZero Endpoint on OApp Reinitialization May Cause Call Failures

Summary

The OApp reinitialization process lacks a conditional registration for newly configured LayerZero endpoints, leading to potential call failures if a new endpoint is specified. The LayerZero endpoint should only be registered once, but if reinitialization configures a new endpoint, registration does not occur, causing calls to fail due to the endpoint’s unregistered status.

Root Cause

During OApp reinitialization, there is no check to register a new LayerZero endpoint if the configuration has changed. The initial setup registers the endpoint correctly, but reinitialization does not trigger registration if a different endpoint is introduced.
https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/state/oapp_state/oapp_config.rs#L32-L41

https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/instructions/oapp_instr/reinit_oapp.rs#L29-L46

xample:

In LayerZero's example implementation, endpoint registration occurs during initial setup, ensuring valid communication paths. The OApp, however, does not re-register if a new endpoint is added during reinitialization, leaving it unverified and potentially inactive.

Internal pre-conditions

  • The OApp undergoes reinitialization with a new LayerZero endpoint configured.
  • The reinitialization process does not trigger conditional registration for the new endpoint

External pre-conditions

  • The user reinitializes the OApp and configures a different LayerZero endpoint from the original.
  • There is no external mechanism to enforce registration of this newly configured endpoint.

Attack Path

  • The OApp is reinitialized, and a new LayerZero endpoint is configured without triggering registration.
  • Calls to LayerZero fail due to the unregistered status of the newly added endpoint, impacting OApp functionality.

Impact

The OApp may experience disruptions as calls to an unregistered, newly configured LayerZero endpoint fail. This missing conditional registration step for new endpoints affects cross-chain communication, leading to potential call failures and limited protocol usability.

PoC

No response

Mitigation

No response
@sherlock-admin3 sherlock-admin3 added the Sponsor Disputed The sponsor disputed this issue's validity label Nov 3, 2024
@sherlock-admin4 sherlock-admin4 changed the title Original Emerald Millipede - Missing Conditional Registration for New LayerZero Endpoint on OApp Reinitialization May Cause Call Failures sh1v - Missing Conditional Registration for New LayerZero Endpoint on OApp Reinitialization May Cause Call Failures Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Sponsor Disputed The sponsor disputed this issue's validity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin3