Trendy Brick Stallion - authority is not validated in `create_rebate_manager.rs`

[sherlock-admin2]

Trendy Brick Stallion

Medium

authority is not validated in create_rebate_manager.rs

Summary

The authority account is not validated as a result there will be no access control on the program meanwhile it is supposed to be restricted

Root Cause

In line 12there are no constraints validating the signer to know whether he is authorized or not

Internal pre-conditions

no pre-con

External pre-conditions

no pre-con

Attack Path

Call handler

Impact

No authorisation validation and access controls meaning anyone can create a rebate manager

PoC

#[derive(Accounts)]
pub struct CreateRebateManager<'info> {
    pub quote_token_mint: Account<'info, Mint>,

    #[account(mut)]
    pub authority: Signer<'info>,

    #[account(
        init,
        payer = authority,
        space = 8 + RebateManager::INIT_SPACE,
        seeds = [
          REBATEMANAGER_SEED.as_bytes(),
          quote_token_mint.key().as_ref()
        ],
        bump)]
    pub rebate_manager: Box<Account<'info, RebateManager>>,

    #[account(
        init,
        payer = authority,
        token::mint = quote_token_mint,
        token::authority = rebate_manager
      )]
    pub token_vault: Box<Account<'info, TokenAccount>>,

    #[account(address = token::ID)]
    pub token_program: Program<'info, Token>,
    pub system_program: Program<'info, System>,
}

from the above struct pub declaration, we can see that there are no constraints validating the signer as being authorized or not

Mitigation

Implement constraints to Validate signer and add access controls

[toprince]

Not valid.