If rebate_manager is created by an attacker, rebate_Manager.authority is the attacker's address and the administrator cannot deposit, However, an attacker could add the administrator account to admin_authority, which would deposit funds into rebate_manager created by the attacker.
An attacker can withdraw funds from rebate_manager.
The administrator query the address of rebate_manager by the program id. The administrator may not know that rebate_manager was created by the attacker if the administrator does not check the address of rebate_Manager.authority.
In another case, the administrator checks the address of rebate_manager.authority, finds out that rebate_manager is fake, and wants to recreate rebate_manager,
The problem is that rebate_manager uses the init keyword, and rebate_manager cannot be recreated:
Helpful Jetblack Snake
High
A malicious user can create multiple
rebate_manager
in advanceSummary
A malicious user can create
rebate_manager
in advance, steal funds from the protocol, or preventrebate_manager
from being created.Vulnerability Detail
rebate_manager
uses the address ofquote_token_mint
as seeds to generate a new address:So there will be multiple
rebate_manager
in the protocol, if there are multiplequote_token_mint
.When we add a new
quote_token_mint
, we need to initialize the newrebate_manager
,Initialize
rebate_manager
needs to callCreateRebateManager.handler
function:This function can be called by anyone, and if an attacker calls the function
rebate_manager.authority
is set to the attacker's address.If the administrator deposit money in
token_vault(quote token)
, need to verifyrebate_manager.authority
:If
rebate_manager
is created by an attacker,rebate_Manager.authority
is the attacker's address and the administrator cannot deposit, However, an attacker could add the administrator account toadmin_authority
, which would deposit funds intorebate_manager
created by the attacker.An attacker can withdraw funds from
rebate_manager
.The administrator query the address of
rebate_manager
by the program id. The administrator may not know thatrebate_manager
was created by the attacker if the administrator does not check the address ofrebate_Manager.authority
.In another case, the administrator checks the address of
rebate_manager.authority
, finds out thatrebate_manager
is fake, and wants to recreaterebate_manager
, The problem is thatrebate_manager
uses theinit
keyword, andrebate_manager
cannot be recreated:Since there can be multiple
rebate_manager
, an attacker can create all possiblerebate_manager
in advance (against the mainstreamquote_token_mint
).Impact
steal funds from the protocol, or prevent
rebate_manager
from being created.Code Snippet
https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/1c4c9c622e8c44ae2f8cd4219c7c2a0181f25ca0/WOOFi_Solana/programs/rebate_manager/src/instructions/admin/create_rebate_manager.rs#L14-L23
https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/1c4c9c622e8c44ae2f8cd4219c7c2a0181f25ca0/WOOFi_Solana/programs/rebate_manager/src/instructions/admin/deposit_withdraw.rs#L19-L54
Tool used
Manual Review
Recommendation
Only allows administrators to call
CreateRebateManager.handle