User will use external accounts for bypassing check in programs

Summary

In the current implementation, multiple instructions make the assumption that accounts are owned by the current program (so are trusted) but they are not. This allows user to provide external accounts to bypass checks.

Root Cause

Lack of seeds constraint every time wooconfig is used (for example: create_wooracle.rs#L44)

Other occurences in claim_fee.rs, create_pool.rs#L9, deposit_withdraw.rs#L9, and everywhere else in the codebase.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

User creates a wooconfig account owned by himself
User uses this wooconfig account through the WooFi instructions to bypass checks

Impact

Multiple checks are bypassed, including access control checks.

PoC

No response

Mitigation

Every time wooconfig is expected, ensure that the account is the correct PDA.

For example, in the CreateWooracle structure, it gives:

#[derive(Accounts)]
pub struct CreateWooracle<'info> {
    #[account(
        seeds = [
          WOOCONFIG_SEED.as_bytes(),
        ],
        bump)]
    pub wooconfig: Box<Account<'info, WooConfig>>,

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

032.md

032.md

User will use external accounts for bypassing check in programs

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation

Files

032.md

Latest commit

History

032.md

File metadata and controls

User will use external accounts for bypassing check in programs

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation