0rpse - token accounts are not verified against token_hash

[sherlock-admin2]

0rpse

High

token accounts are not verified against token_hash

Summary

In Solana vault's deposit and withdraw flows token accounts are not verified against token_hash, this makes it possible for an attacker to withdraw from or deposit to the vault any token but make it seem like its any other token.

Root Cause

In oapp_lz_receive.rs and deposit.rs, deposit_token account is not checked againts token_hash parameter, token accounts are not included in the message either.:
https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/instructions/oapp_instr/oapp_lz_receive.rs#L10-L146
https://github.com/sherlock-audit/2024-09-orderly-network-solana-contract/blob/main/solana-vault/packages/solana/contracts/programs/solana-vault/src/instructions/vault_instr/deposit.rs#L20-L176

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

1. Attacker calls deposit with usdc_hash, for token accounts attacker chooses some other token that is worth less than usdc, but for the protocol it will seem an amount of usdc was deposited to the vault.
2. After deposit process is done, withdrawal process can take place with the same parameters but this time specifying usdc accounts, attacker profits.
   This attack path assumes some amount of usdc is already deposited to the vault.

Impact

Loss of funds.

PoC

No response

Mitigation

deposit_token should be checked against the token_hash parameter.