Initialization functions of rebate_manager, woofi are front-runnable
Summary
The create_rebate_manager , create_rebate_info instructions in the rebate_manager program and create_config instruction in the woofi program can be invoked by any account. They assign the caller as the authority of the rebate_manager , rebate_info and wooconfig account respectively, which is the administrative authority of the programs.
Vulnerability Detail
Once the progarms get deployed, anyone can become the account authority by calling the initialization function, since there is no mechanism to restrict access to these instructions, such as validating that only
the deployer of the program or an authorised entity can perform the initialization.
Impact
A malicious actor can take complete ownership of the administrative accounts and hence
the program.
Implement access control on the caller of these instructions. A common practice is to use the program’s upgrade_authority as the authorized address to call the functions, if the program has an upgrade authority. Another solution is to set a hardcoded address of the expected owner’s public key to restrict access to only that specific address.
Proud Wintergreen Butterfly
High
Initialization functions of rebate_manager, woofi are front-runnable
Summary
The
create_rebate_manager
,create_rebate_info
instructions in the rebate_manager program andcreate_config
instruction in thewoofi
program can be invoked by any account. They assign the caller as the authority of therebate_manager
,rebate_info
andwooconfig
account respectively, which is the administrative authority of the programs.Vulnerability Detail
Once the progarms get deployed, anyone can become the account authority by calling the initialization function, since there is no mechanism to restrict access to these instructions, such as validating that only the deployer of the program or an authorised entity can perform the initialization.
Impact
A malicious actor can take complete ownership of the administrative accounts and hence the program.
Code Snippet
create_rebate_info instruction create_rebate_manager instruction create_config instruction
sherlock-bot doesn't detect my references-ignore
Tool used
Manual Review
Recommendation
Implement access control on the caller of these instructions. A common practice is to use the program’s upgrade_authority as the authorized address to call the functions, if the program has an upgrade authority. Another solution is to set a hardcoded address of the expected owner’s public key to restrict access to only that specific address.