toprince
commented
10 hours ago impossible create config twice. rebate manager part is same with https://github.com/sherlock-audit/2024-08-woofi-solana-deployment-judging/issues/14
Open sherlock-admin2 opened 13 hours ago
toprince
commented
10 hours ago impossible create config twice. rebate manager part is same with https://github.com/sherlock-audit/2024-08-woofi-solana-deployment-judging/issues/14
Proud Wintergreen Butterfly
High
Initialization functions of rebate_manager, woofi are front-runnable
Summary
The
create_rebate_manager,create_rebate_infoinstructions in the rebate_manager program andcreate_configinstruction in thewoofiprogram can be invoked by any account. They assign the caller as the authority of therebate_manager,rebate_infoandwooconfigaccount respectively, which is the administrative authority of the programs.Vulnerability Detail
Once the progarms get deployed, anyone can become the account authority by calling the initialization function, since there is no mechanism to restrict access to these instructions, such as validating that only the deployer of the program or an authorised entity can perform the initialization.
Impact
A malicious actor can take complete ownership of the administrative accounts and hence the program.
Code Snippet
create_rebate_info instruction create_rebate_manager instruction create_config instruction
sherlock-bot doesn't detect my references-ignore
Tool used
Manual Review
Recommendation
Implement access control on the caller of these instructions. A common practice is to use the program’s upgrade_authority as the authorized address to call the functions, if the program has an upgrade authority. Another solution is to set a hardcoded address of the expected owner’s public key to restrict access to only that specific address.