Potential for Unauthorized Rebate Adjustments in AddSubRebate
Summary
Vulnerability Detail
In the AddSubRebate instruction, any authority that is either the rebate_manager.authority or an admin_authority can add or subtract pending rebates from any RebateInfo account:
Since rebate_authority is an unchecked account and can be any account, an admin could potentially manipulate the pending_rebate of any RebateInfo, including their own, leading to unauthorized fund claims.
Introduce additional constraints or checks to ensure that only authorized actions can be taken on a RebateInfo. For example, you might require that only the rebate_manager.authority (not admin_authority) can adjust rebates, or you might include logic to prevent admins from adjusting rebates for accounts they control.
Zesty Sage Tapir
Medium
Potential for Unauthorized Rebate Adjustments in
AddSubRebate
Summary
Vulnerability Detail
In the
AddSubRebate
instruction, anyauthority
that is either therebate_manager.authority
or anadmin_authority
can add or subtract pending rebates from anyRebateInfo
account:Since
rebate_authority
is an unchecked account and can be any account, an admin could potentially manipulate thepending_rebate
of anyRebateInfo
, including their own, leading to unauthorized fund claims.Impact
Code Snippet
https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/rebate_manager/src/instructions/admin/add_sub_rebate.rs#L9
Tool used
Manual Review
Recommendation
Introduce additional constraints or checks to ensure that only authorized actions can be taken on a
RebateInfo
. For example, you might require that only therebate_manager.authority
(notadmin_authority
) can adjust rebates, or you might include logic to prevent admins from adjusting rebates for accounts they control.