Creamy Carrot Yeti - Missing access control in the create_config instruction

[sherlock-admin4]

Creamy Carrot Yeti

High

Missing access control in the create_config instruction

Summary

At the moment create_config() instruction misses access control meaning anybody can basically create a new config which is an unexpected behavior.

Vulnerability Detail

Let's take a look at the CreateConfig struct:

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/admin/create_config.rs#L6-22

#[derive(Accounts)]
pub struct CreateConfig<'info> {
    #[account(mut)]
    pub authority: Signer<'info>,

    #[account(
        init,
        payer = authority,
        space = 8 + WooConfig::INIT_SPACE,
        seeds = [
          WOOCONFIG_SEED.as_bytes(),
        ],
        bump)]
    pub wooconfig: Box<Account<'info, WooConfig>>,

    pub system_program: Program<'info, System>,
}

As you can see, authority is not verified somehow (no constraints to make sure it's a trusted payer) meaning anybody can create a new config. As the wooconfig is one of the central admin instructions that will be widely used in the system, this issue will cause some serious consequences.

Impact

Anybody can call admin instruction handler() function and set a new wooconfig.

Code Snippet

Provided above.

Tool used

Manual Review

Recommendation

Make sure that the authority is verified in the create_config instruction as it's done in other instructions by setting some constraints.

[toprince]

Not valid. impossible create another one.