search

sherlock-audit / 2024-08-woofi-solana-deployment-judging

0 stars 0 forks source link

Creamy Carrot Yeti - create_rebate_manager has no access control #53

Open sherlock-admin4 opened 13 hours ago

sherlock-admin4 commented 13 hours ago

Creamy Carrot Yeti

High

create_rebate_manager has no access control

Summary

There is currently no check that only trusted authority is able to create a new rebate_manager.

Vulnerability Detail

In the create_rebate_manager instruction, authority is not verified somehow:

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/rebate_manager/src/instructions/admin/create_rebate_manager.rs#L11-23

  #[account(mut)]
    pub authority: Signer<'info>,

    #[account(
        init,
        payer = authority,
        space = 8 + RebateManager::INIT_SPACE,
        seeds = [
          REBATEMANAGER_SEED.as_bytes(),
          quote_token_mint.key().as_ref()
        ],
        bump)]
    pub rebate_manager: Box<Account<'info, RebateManager>>,

As you can see here, there is no any constraint regarding authority being a trusted one. The only thing that's done is setting payer to the signer address meaning setting who is paying the SOL for allocating storage. This allows anybody to call handler() function:

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/rebate_manager/src/instructions/admin/create_rebate_manager.rs#L38-46

pub fn handler(ctx: Context<CreateRebateManager>) -> Result<()> {
    let authority = ctx.accounts.authority.key();
    let quote_token_mint = ctx.accounts.quote_token_mint.key();
    let token_vault = ctx.accounts.token_vault.key();

    let rebate_manager = &mut ctx.accounts.rebate_manager;

    rebate_manager.initialize(authority, quote_token_mint, token_vault)
}

We get authority by fetching the key from authority in the context. As per spec:

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/rebate_manager/src/instructions/admin/create_rebate_manager.rs#L38-46

Functions need admin authority: claim_fee claim_rebate_fee create_oracle create_pool create_rebate_pool deposit set_pool_admin set_pool_state (all handlers in this file) set_woo_admin set_woo_state(all handlers in this file

Impact

Anybody can create rebate manager.

Code Snippet

Provided above.

Tool used

Manual Review

Recommendation

Introduce constraints to ensure proper access control.

toprince commented 10 hours ago

Not valid. Same with https://github.com/sherlock-audit/2024-08-woofi-solana-deployment-judging/issues/14