Active Boosts

#36787 [SC-Insight] The vault program don't support token2022 transfer

Submitted on Nov 14th 2024 at 12:17:58 UTC by @Hoverfly9132 for Audit Comp | Jito Restaking

  • Report ID: #36787

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/jito-foundation/restaking/tree/master/vault_program

  • Impacts:

    • Smart contract unable to operate due to lack of token funds

Description

Bug Description

From the competition page we can know the vault program should support SPL token 2022:

The Vault and Restaking programs support the SPL Token and SPL Token 2022 standards.

But when calling process_mint() instruction, the token program id is hardcoded to be spl_token and not spl_token_2022. The spl token and spl token 2022 have different program id, the SPL token program id is TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA and SPL token 2022 program id is TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb, you can see the decalre for spl_token program id and spl_token_2022 program id.

pub fn process_mint(
    program_id: &Pubkey,
    accounts: &[AccountInfo],
    amount_in: u64,
    min_amount_out: u64,
) -> ProgramResult {
    ...
    // transfer tokens from depositor to vault
    {
        invoke(
            &transfer(
                // @audit - hardcoded spl token program id
                &spl_token::id(),
                depositor_token_account.key,
                vault_token_account.key,
                depositor.key,
                &[],
                amount_in,
            )?,
            &[
                depositor_token_account.clone(),
                vault_token_account.clone(),
                depositor.clone(),
            ],
        )?;
    }
    ...
}

If the users transfer SPL token2022 to the vault by calling the process_mint() instruction, the transfer will fail because wrong token program id.

And in the process_initialize_vault() instruction, the token program id is loaded by load_token_program(), this function will check the token program id is spl_token or not, if not, it will return an error:

So the vault program doesn't support SPL token2022 init.

Impact

The vault program doesn't support SPL token 2022 init and transfer.

Recommendation

Add the SPL token2022 feature to the vault program.

Proof of Concept

Proof of Concept

Place the case in the vault_program/src/ path, run it by cargo test --package jito-vault-program --lib -- test_token2022_basic:

Previous#37315 [SC-High] Theft of Unclaimed Yields Due to Improper Reward Distribution in Vault ProgramNext#36903 [SC-High] The vault reward mechanism can be sandwiched by MEV

Last updated

Was this helpful?