Light
DarkOne Bug Per Day
One H/M every day from top Wardens
Join over 1135 wardens!
Receive the email at any hour!
Possible DOS when withdrawing liquidity from Solana Lockbox
mediumLines of code
Vulnerability details
Impact
Possible DOS when withdrawing liquidity from Lockbox
Proof of Concept
When withdrawing it is required to pass all the associated accounts in the transaction. But among these (position,pdaPositionAccount and positionMint) are dependent on the current modifiable-state of the account ie. if another withdrawal occurs, the required accounts to be passed to the function call might change resulting in a revert.
solidity@mutableAccount(pool) @account(tokenProgramId) @mutableAccount(position) @mutableAccount(userBridgedTokenAccount) @mutableAccount(pdaBridgedTokenAccount) @mutableAccount(userWallet) @mutableAccount(bridgedTokenMint) @mutableAccount(pdaPositionAccount) @mutableAccount(userTokenAccountA) @mutableAccount(userTokenAccountB) @mutableAccount(tokenVaultA) @mutableAccount(tokenVaultB) @mutableAccount(tickArrayLower) @mutableAccount(tickArrayUpper) @mutableAccount(positionMint) @signer(sig) function withdraw(uint64 amount) external { address positionAddress = positionAccounts[firstAvailablePositionAccountIndex]; if (positionAddress != tx.accounts.position.key) { revert("Wrong liquidity token account"); }
The DOS for a withdrawal can be caused by another user withdrawing before the user's transaction. Due to the possibility to steal fees, attackers would be motivated to frequently call the withdraw method making such a scenario likely.
Tools Used
Manual review
Recommended Mitigation Steps
To mitigate this it would require a redesign on how the lockbox accepts liquidity. Instead of adding new positions, the lockbox can keep its liquidity in a single position continuously increasing its liquidity for deposits.
Assessed type
Context