However, only the rebate_manager.authority is the only allowedrebate_info.authority when claiming rebate fees.
#[account(mut,
has_one = rebate_manager,
has_one = rebate_authority,
// @audit only the `rebate_manager.authority` is allowed and not the `rebate_manager.admin_authority`. This makes
// all rebate infos created by admin authorities incapable of claiming rebate fees.
constraint = rebate_info.authority == rebate_manager.authority
)]
pub rebate_info: Account<'info, RebateInfo>,
Root Cause
In claim_rebate_fee.rs:26, there is a missing constraint that allows rebate infos created by a rebate_manager.admin_authority to claim rebate fees.
Internal pre-conditions
A rebate manager admin authority creates a rebate info.
External pre-conditions
None
Attack Path
The rebate authority for a rebate info created by a rebate manager admin authority tries to claim rebate fee.
Claiming will always fail.
Impact
All rebate infos created by a rebate manager admin authority can not have their rebate fees claimed.
PoC
No response
Mitigation
Consider modifying the constraint in claim_rebate_fee() to:
Glamorous Violet Chameleon
High
Rebate authority is unable to claim fee due to incorrect constraint not allowing rebate manager admin authority
Summary
Rebate authority or admin authority can create a
rebate_info
.That
authority
is stored inrebate_info.authority
when the rebate info is created.However, only the
rebate_manager.authority
is the only allowedrebate_info.authority
when claiming rebate fees.Root Cause
In
claim_rebate_fee.rs:26
, there is a missing constraint that allows rebate infos created by arebate_manager.admin_authority
to claim rebate fees.Internal pre-conditions
External pre-conditions
None
Attack Path
Impact
All rebate infos created by a rebate manager admin authority can not have their rebate fees claimed.
PoC
No response
Mitigation
Consider modifying the constraint in
claim_rebate_fee()
to: