search

sherlock-audit / 2024-08-woofi-solana-deployment-judging

0 stars 0 forks source link

Tame Macaroon Tapir - Constraints are not defined in set_only_owner_config.rs #20

Open sherlock-admin4 opened 11 hours ago

sherlock-admin4 commented 11 hours ago

Tame Macaroon Tapir

Medium

Constraints are not defined in set_only_owner_config.rs

Summary

Constraints are not set in set_only_owner_config.rs so anyone can set wooracle admin authority and guardian handler.

Vulnerability Detail

The contracts declares the expected authority, but doesn't put constraints on who can make the calls. As a result, the functions set_wooracle_admin_handler and set_guardian_handler can be called by anyone.

#[derive(Accounts)]
pub struct SetOnlyOwnerConfig<'info> {
    #[account(mut,
        has_one = authority,
    )]
    pub wooconfig: Account<'info, WooConfig>,

    pub authority: Signer<'info>,
}

Impact

Anyone can set wooracle admin authority and guardian handler potentially risking the protcol's safety.

Code Snippet

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/1c4c9c622e8c44ae2f8cd4219c7c2a0181f25ca0/WOOFi_Solana/programs/woofi/src/instructions/admin/set_only_owner_config.rs#L15-L22

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/1c4c9c622e8c44ae2f8cd4219c7c2a0181f25ca0/WOOFi_Solana/programs/woofi/src/instructions/admin/set_only_owner_config.rs#L24-L31

Tool used

Manual Review

Recommendation

Add the needed constraints to tighten access control.

toprince commented 9 hours ago

Not valid for this one. has_one = authority is the constraint