Missing Access Control in set_admin_authority Method
Summary
The set_admin_authority method in the RebateManager currently allows anyone to modify the list of administrators without any access restrictions. This loophole can be exploited by malicious actors to grant themselves administrative privileges.
Vulnerability Detail
The method set_admin_authority is designed to update the list of administrative authorities (admin_authority). However, there's no mechanism to ensure that only authorized users can perform this action. Without proper access control, any user can call this method to alter the administrator list, adding themselves or others.
Impact
Privilege Escalation: Unauthorized users can become administrators.
New rogue administrators can perform unauthorized transactions, or disrupt the contract's normal functioning.
Implement access control to ensure that only the designated authority (or possibly existing administrators) can modify the admin_authority list. In Anchor, you can use the #[derive(Accounts)] macro to enforce these constraints.
Strong Magenta Loris
High
Missing Access Control in set_admin_authority Method
Summary
The set_admin_authority method in the
RebateManager
currently allows anyone to modify the list of administrators without any access restrictions. This loophole can be exploited by malicious actors to grant themselves administrative privileges.Vulnerability Detail
The method
set_admin_authority
is designed to update the list of administrative authorities (admin_authority
). However, there's no mechanism to ensure that only authorized users can perform this action. Without proper access control, any user can call this method to alter the administrator list, adding themselves or others.Impact
Code Snippet
https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/rebate_manager/src/state/rebate_manager.rs#L74-L82
Tool used
Manual Review
Recommendation
Implement access control to ensure that only the designated authority (or possibly existing administrators) can modify the
admin_authority
list. In Anchor, you can use the#[derive(Accounts)]
macro to enforce these constraints.Then, update the method to use this context: