As you can see, authority is not verified somehow (no constraints to make sure it's a trusted payer) meaning anybody can create a new config. As the wooconfig is one of the central admin instructions that will be widely used in the system, this issue will cause some serious consequences.
Impact
Anybody can call admin instruction handler() function and set a new wooconfig.
Code Snippet
Provided above.
Tool used
Manual Review
Recommendation
Make sure that the authority is verified in the create_config instruction as it's done in other instructions by setting some constraints.
Creamy Carrot Yeti
High
Missing access control in the create_config instruction
Summary
At the moment
create_config()
instruction misses access control meaning anybody can basically create a new config which is an unexpected behavior.Vulnerability Detail
Let's take a look at the
CreateConfig
struct:https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/admin/create_config.rs#L6-22
As you can see,
authority
is not verified somehow (no constraints to make sure it's a trusted payer) meaning anybody can create a new config. As thewooconfig
is one of the central admin instructions that will be widely used in the system, this issue will cause some serious consequences.Impact
Anybody can call admin instruction
handler()
function and set a newwooconfig
.Code Snippet
Provided above.
Tool used
Manual Review
Recommendation
Make sure that the authority is verified in the
create_config
instruction as it's done in other instructions by setting some constraints.