search

sherlock-audit / 2024-08-woofi-solana-deployment-judging

0 stars 0 forks source link

Strong Magenta Loris - Missing Access Control in set_admin_authority Method #50

Open sherlock-admin4 opened 13 hours ago

sherlock-admin4 commented 13 hours ago

Strong Magenta Loris

High

Missing Access Control in set_admin_authority Method

Summary

The set_admin_authority method in the RebateManager currently allows anyone to modify the list of administrators without any access restrictions. This loophole can be exploited by malicious actors to grant themselves administrative privileges.

Vulnerability Detail

The method set_admin_authority is designed to update the list of administrative authorities (admin_authority). However, there's no mechanism to ensure that only authorized users can perform this action. Without proper access control, any user can call this method to alter the administrator list, adding themselves or others.

Impact

Code Snippet

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/rebate_manager/src/state/rebate_manager.rs#L74-L82

Tool used

Manual Review

Recommendation

Implement access control to ensure that only the designated authority (or possibly existing administrators) can modify the admin_authority list. In Anchor, you can use the #[derive(Accounts)] macro to enforce these constraints.

use anchor_lang::prelude::*;

#[derive(Accounts)]
pub struct SetAdminAuthority<'info> {
    #[account(mut, has_one = authority)]
    pub rebate_manager: Account<'info, RebateManager>,
    pub authority: Signer<'info>,
}

Then, update the method to use this context:

pub fn set_admin_authority(
        ctx: Context<SetAdminAuthority>,
        admin_authority: Vec<Pubkey>,
    ) -> Result<()> {
        let rebate_manager = &mut ctx.accounts.rebate_manager;

        require!(
            admin_authority.len() <= ADMIN_AUTH_MAX_LEN,
            ErrorCode::TooManyAuthorities
        );

        rebate_manager.admin_authority = admin_authority;

        Ok(())
    }
toprince commented 10 hours ago

Already implemented? https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/rebate_manager/src/instructions/admin/set_admin.rs#L7-L12