Fresh Pineapple Dalmatian - `rebate_info` and `rebate_manager` are unable to sign the CPI call due to an incorrect implementation of the `seeds` function #29
rebate_info and rebate_manager are unable to sign the CPI call due to an incorrect implementation of the seeds function
Summary
rebate_info and rebate_manager will not be able to sign the CPI message because their seeds function has been implemented incorrectly.
Root Cause
The implementation of the seeds function is incorrect because the correct seed needs to include the full seed phrase and the bump, but the seeds function does not include the bump.
Fresh Pineapple Dalmatian
High
rebate_info
andrebate_manager
are unable to sign the CPI call due to an incorrect implementation of theseeds
functionSummary
rebate_info
andrebate_manager
will not be able to sign the CPI message because theirseeds
function has been implemented incorrectly.Root Cause
The implementation of the seeds function is incorrect because the correct seed needs to include the full seed phrase and the bump, but the seeds function does not include the bump.
https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/1c4c9c622e8c44ae2f8cd4219c7c2a0181f25ca0/WOOFi_Solana/programs/rebate_manager/src/state/rebate_manager.rs#L54
https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/1c4c9c622e8c44ae2f8cd4219c7c2a0181f25ca0/WOOFi_Solana/programs/rebate_manager/src/state/rebate_info.rs#L51
Internal pre-conditions
None
External pre-conditions
None
Attack Path
None
Impact
It will prevent the
claim_rebate_fee
andwithdraw
operations from executing, resulting in tokens being permanently locked in the contract.PoC
No response
Mitigation
Here is an example of fixing rebate_manager:
The fix for
rebate_info
is the same as described above.