Glamorous Violet Chameleon - Attacker can control rebate managers for supported tokens since there is only 1 rebate manager per quote token

[sherlock-admin3]

Glamorous Violet Chameleon

Medium

Attacker can control rebate managers for supported tokens since there is only 1 rebate manager per quote token

Summary

The rebate manager uses the following seeds on creation:

• REBATE_MANAGER_SEED
• quote_token_mint

This means that only 1 rebate manager can be created per quote token. Any attacker can block rebate functionality by front-running the creation of rebate managers for all the supported tokens (e.g. USDC, USDT, SOL).

Root Cause

In create_rebate_manager.rs:18-21, the choice to allow only 1 rebate manager per quote token is a mistake. Attackers can front-run the creation of rebate managers for supported quote tokens so they control all rebate managers.

Internal pre-conditions

None

External pre-conditions

None

Attack Path

1. Attacker front-runs any create_rebate_manager() calls with their own.

Impact

Rebate functionality will be blocked for the quote tokens the attacker controls.

PoC

No response

Mitigation

Consider using the authority as part of the seeds when creating a rebate manager.

[toprince]

Need investigate this further.