Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Albort - Potential for Unauthorized Rebate Adjustments in AddSubRebate #80

Open
sherlock-admin4 opened this issue Sep 24, 2024 · 1 comment
Open

Albort - Potential for Unauthorized Rebate Adjustments in AddSubRebate #80

sherlock-admin4 opened this issue Sep 24, 2024 · 1 comment
Labels
Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed

Comments

@sherlock-admin4
Copy link

sherlock-admin4 commented Sep 24, 2024
edited
Loading

Albort

Medium

Potential for Unauthorized Rebate Adjustments in AddSubRebate

Summary

Vulnerability Detail

In the AddSubRebate instruction, any authority that is either the rebate_manager.authority or an admin_authority can add or subtract pending rebates from any RebateInfo account:

#[derive(Accounts)]
pub struct AddSubRebate<'info> {
    pub authority: Signer<'info>,

    // Other accounts...

    #[account(mut,
        has_one = rebate_manager,
        has_one = rebate_authority,
    )]
    pub rebate_info: Account<'info, RebateInfo>,
}

Since rebate_authority is an unchecked account and can be any account, an admin could potentially manipulate the pending_rebate of any RebateInfo, including their own, leading to unauthorized fund claims.

Impact

Code Snippet

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/rebate_manager/src/instructions/admin/add_sub_rebate.rs#L9

Tool used

Manual Review

Recommendation

Introduce additional constraints or checks to ensure that only authorized actions can be taken on a RebateInfo. For example, you might require that only the rebate_manager.authority (not admin_authority) can adjust rebates, or you might include logic to prevent admins from adjusting rebates for accounts they control.
@toprince
Copy link

Not valid.
rebate_authority means third party channel who is the owner of the rebate fee.

@sherlock-admin3 sherlock-admin3 added Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed labels Oct 13, 2024
@sherlock-admin4 sherlock-admin4 changed the title Zesty Sage Tapir - Potential for Unauthorized Rebate Adjustments in AddSubRebate Albort - Potential for Unauthorized Rebate Adjustments in AddSubRebate Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@toprince @sherlock-admin3 @sherlock-admin4