feat(account): Check Owner on Reload #3837
Conversation
|
@0xIchigo is attempting to deploy a commit to the Solana Foundation Team on Vercel. A member of the Team first needs to authorize it. |
|
@0xIchigo Can you please fix the failed tests? |
|
See #3819, which removed the |
|
@swaroop-osec @jamie-osec all good now 🫡 |
|
The latest updates on your projects. Learn more about Vercel for GitHub. 1 Skipped Deployment
|
| if info.owner == &system_program::ID && info.lamports() == 0 { | ||
| return Err(ErrorCode::AccountNotInitialized.into()); | ||
| } | ||
| T::check_owner(info.owner)?; | ||
| let mut data: &[u8] = &info.try_borrow_data()?; | ||
| Ok(Self::new(info, T::try_deserialize(&mut data)?)) | ||
| // `InterfaceAccount` targets foreign program accounts (e.g., SPL Token | ||
| // accounts) that do not have Anchor discriminators. Because of that, we | ||
| // intentionally skip the Anchor discriminator check here and instead: | ||
| // | ||
| // 1) Validate program ownership via `T::check_owner(info.owner)?` | ||
| // 2) Deserialize without a discriminator by delegating to | ||
| // `T::try_deserialize_unchecked` | ||
| Self::try_from_unchecked(info) |
There was a problem hiding this comment.
This is incorrect because InterfaceAccount does not make any assumptions about discriminators. anchor-spl just provides some types that can be used with InterfaceAccount and Interface, similar to how it provides types that can be used with Account and Program. The InterfaceAccount implementation itself has no idea about those types.
This change introduces a critical vulnerability by allowing unexpected account substitution.
There was a problem hiding this comment.
This PR aims to introduce an ownership check on Anchor's account reload method, resolving #3830