Malicious individuals can create corresponding rebate manage and rebate info accounts in advance
Summary
Due to the fact that the seed of the rebate_manage account is quote_token_mint, only one rebate_manage account can be created with a single quote_token token.
Malicious individuals can create a corresponding rebate_manage account before admin wants to add a new quote_token_maint, which can prevent admin from adding a new rebate_manage and losing control over the reward token
Due to other rebates already running in the system, it is unlikely to abandon this program and redeploy it
Vulnerability Detail
The rebate_manager can be created by anyone, and once created, it will prevent admin from adding the corresponding quote_tokent_mint to the rebate_manager
Refer to the config mode of the woofi program and set a rebate_config. Only the rebate_config admin can create a rebate manager. In this way, once the config account is fornt-run, the project team will redeploy and the impact will be greatly reduced
Fresh Pineapple Dalmatian
Medium
Malicious individuals can create corresponding rebate manage and rebate info accounts in advance
Summary
Due to the fact that the seed of the rebate_manage account is quote_token_mint, only one rebate_manage account can be created with a single quote_token token.
Malicious individuals can create a corresponding rebate_manage account before admin wants to add a new quote_token_maint, which can prevent admin from adding a new rebate_manage and losing control over the reward token
Due to other rebates already running in the system, it is unlikely to abandon this program and redeploy it
Vulnerability Detail
The rebate_manager can be created by anyone, and once created, it will prevent admin from adding the corresponding quote_tokent_mint to the rebate_manager
Impact
Code Snippet
https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/1c4c9c622e8c44ae2f8cd4219c7c2a0181f25ca0/WOOFi_Solana/programs/rebate_manager/src/instructions/admin/create_rebate_manager.rs#L11
Tool used
Manual Review
Recommendation
Refer to the config mode of the woofi program and set a rebate_config. Only the rebate_config admin can create a rebate manager. In this way, once the config account is fornt-run, the project team will redeploy and the impact will be greatly reduced