As you can see here, there is no any constraint regarding authority being a trusted one. The only thing that's done is setting payer to the signer address meaning setting who is paying the SOL for allocating storage. This allows anybody to call handler() function:
Functions need admin authority: claim_fee claim_rebate_fee create_oracle create_pool create_rebate_pool deposit set_pool_admin set_pool_state (all handlers in this file) set_woo_admin set_woo_state(all handlers in this file
Impact
Anybody can create rebate manager.
Code Snippet
Provided above.
Tool used
Manual Review
Recommendation
Introduce constraints to ensure proper access control.
Creamy Carrot Yeti
High
create_rebate_manager has no access control
Summary
There is currently no check that only trusted authority is able to create a new
rebate_manager
.Vulnerability Detail
In the
create_rebate_manager
instruction,authority
is not verified somehow:https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/rebate_manager/src/instructions/admin/create_rebate_manager.rs#L11-23
As you can see here, there is no any constraint regarding
authority
being a trusted one. The only thing that's done is settingpayer
to the signer address meaning setting who is paying the SOL for allocating storage. This allows anybody to callhandler()
function:https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/rebate_manager/src/instructions/admin/create_rebate_manager.rs#L38-46
We get
authority
by fetching the key fromauthority
in the context. As per spec:https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/rebate_manager/src/instructions/admin/create_rebate_manager.rs#L38-46
Impact
Anybody can create rebate manager.
Code Snippet
Provided above.
Tool used
Manual Review
Recommendation
Introduce constraints to ensure proper access control.