Proud Wintergreen Butterfly
High
The wooracles/woopools can be initialized by anyone, which can lead to DOS of pools because only one oracle/pool account exist for a certain pair of token_mint
and quote_token_mint
.
Any address may intialize an oracle and a pool for a specific token_mint
and quote_token_mint
pair, which will make the said pool unusable by the protocol because the authority (a malicious actor) will be able to withdraw any tokens deposited to the pool by the config’s woopool_admin_authority
. The issue arises because the signer of the instruction gets declared as admin and there is no check that this signer is indeed the admin of the protocol.
Protocol’s pool will be unusable, which will lead to redeployment of the program to a new account if the team wants to expand their pools to the ones that are currently compromised.
wooracle’s initialization woopool’s initialization sherlock-bot doesn't detect my references-ignore
Manual Review
Implement access control, add a constraint that the signer of the instruction is the wooconfig’s authority
.