Rebate authority is unable to claim fee due to incorrect constraint not allowing rebate manager admin authority

Summary

Rebate authority or admin authority can create a rebate_info.

  #[account(
    constraint = rebate_manager.authority == authority.key()
              || rebate_manager.admin_authority.contains(authority.key),
  )]

That authority is stored in rebate_info.authority when the rebate info is created.

  rebate_info.authority = ctx.accounts.authority.key();

However, only the rebate_manager.authority is the only allowed rebate_info.authority when claiming rebate fees.

  #[account(mut,
      has_one = rebate_manager,
      has_one = rebate_authority,
      // @audit only the `rebate_manager.authority` is allowed and not the `rebate_manager.admin_authority`. This makes 
      // all rebate infos created by admin authorities incapable of claiming rebate fees.
      constraint = rebate_info.authority == rebate_manager.authority
  )]
  pub rebate_info: Account<'info, RebateInfo>,

Root Cause

In claim_rebate_fee.rs:26, there is a missing constraint that allows rebate infos created by a rebate_manager.admin_authority to claim rebate fees.

Internal pre-conditions

A rebate manager admin authority creates a rebate info.

External pre-conditions

None

Attack Path

The rebate authority for a rebate info created by a rebate manager admin authority tries to claim rebate fee.
Claiming will always fail.

Impact

All rebate infos created by a rebate manager admin authority can not have their rebate fees claimed.

PoC

No response

Mitigation

Consider modifying the constraint in claim_rebate_fee() to:

-  constraint = rebate_info.authority == rebate_manager.authority
+  constraint = rebate_info.authority == rebate_manager.authority || rebate_manager.admin_authority

sherlock-audit / 2024-08-woofi-solana-deployment-judging

Glamorous Violet Chameleon - Rebate authority is unable to claim fee due to incorrect constraint not allowing rebate manager admin authority #17