toprince
commented
2 months ago Not valid for this one. No need to check if the account is valid. If the account is not valid in rebate manager, then we can save the rebate fee.
Open sherlock-admin3 opened 2 months ago
toprince
commented
2 months ago Not valid for this one. No need to check if the account is valid. If the account is not valid in rebate manager, then we can save the rebate fee.
chinepun
Medium
Rebate_to account not validated during Swapping
Summary
There is a missing check to the rebate account when swapping is performed, hence any account could be passed into the rebate account.
Root Cause
rebate_to account not validated
Internal pre-conditions
Any user can call this instruction and pass any account as the
rebate_toaccountAttack Path
Calling the
swapinstruction and passing any account to therebate_toaccount is enough to trigger this functionalityImpact
There is little impact as these account is only emitted through an event but this emitted event could be used to trick event listeners in the case of an actual attack scenario.
PoC
Passing any account into the
rebate_toaccount when theswapinstruction is calledMitigation
Validate
rebate_toaccount by performing the following stepsStep 1 Add
to Cargo.toml
Step 2 Make the state module public
pub mod state;Step 3 Verify
rebate_toaccount is owned by therebate_managerprogram and add other custom checksrebate_to: Account<'info, rebate_manager::state::rebate_info::RebateInfo>,inswap.rs