Attacker can control rebate managers for supported tokens since there is only 1 rebate manager per quote token
Summary
The rebate manager uses the following seeds on creation:
REBATE_MANAGER_SEED
quote_token_mint
This means that only 1 rebate manager can be created per quote token. Any attacker can block rebate functionality by front-running the creation of rebate managers for all the supported tokens (e.g. USDC, USDT, SOL).
Root Cause
In create_rebate_manager.rs:18-21, the choice to allow only 1 rebate manager per quote token is a mistake. Attackers can front-run the creation of rebate managers for supported quote tokens so they control all rebate managers.
Glamorous Violet Chameleon
Medium
Attacker can control rebate managers for supported tokens since there is only 1 rebate manager per quote token
Summary
The rebate manager uses the following seeds on creation:
REBATE_MANAGER_SEED
quote_token_mint
This means that only 1 rebate manager can be created per quote token. Any attacker can block rebate functionality by front-running the creation of rebate managers for all the supported tokens (e.g. USDC, USDT, SOL).
Root Cause
In
create_rebate_manager.rs:18-21
, the choice to allow only 1 rebate manager per quote token is a mistake. Attackers can front-run the creation of rebate managers for supported quote tokens so they control all rebate managers.Internal pre-conditions
None
External pre-conditions
None
Attack Path
create_rebate_manager()
calls with their own.Impact
Rebate functionality will be blocked for the quote tokens the attacker controls.
PoC
No response
Mitigation
Consider using the
authority
as part of the seeds when creating a rebate manager.