Solana Learn-to-Earn Protocol Flaw: Quest Authority Can Self-Deal, Drain Entire Reward Pool

A critical vulnerability in a Solana-based learn-to-earn protocol allows a quest authority to directly reward themselves, bypassing the system's core incentive model and draining the entire reward pool. The flaw, found in the reward distribution logic, creates a direct path for self-dealing where the entity that creates and funds a quest can also enroll, verify their own milestones, and claim all deposited funds. This undermines the fundamental trust and financial mechanics of the protocol, turning a mechanism designed for community participation into a potential exit scam for a single actor.

The technical vulnerability resides in the `contracts/rewards/src/lib.rs` file, specifically within the `distribute_reward` function. The code lacks a basic check to prevent the `authority` (the quest creator and funder) from being the same address as the `enrollee` (the participant). This omission enables a malicious quest owner to execute a precise sequence: create and fund a quest, enroll their own wallet, create and self-verify milestones, and finally call `distribute_reward` to transfer the entire pool's value to themselves. The attack is straightforward and requires no external interaction or complex exploit.

The impact is severe, especially for protocols planning to support crowdfunded quests where community funds are pooled. A single bad actor could create a seemingly legitimate quest, attract deposits from multiple users, and then instantly siphon the entire treasury. This represents a total failure of the learn-to-earn model's security assumptions, exposing user funds to direct theft by the very entities meant to administer rewards. The suggested fix is a simple authorization check to block transactions where `authority == enrollee`, a fundamental safeguard that is currently absent.