Fix CPI token program spoofing in Create (validate SPL Token program id)#56
Open
Herrsosa wants to merge 1 commit intoBonfida:masterfrom
Open
Fix CPI token program spoofing in Create (validate SPL Token program id)#56Herrsosa wants to merge 1 commit intoBonfida:masterfrom
Herrsosa wants to merge 1 commit intoBonfida:masterfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR Title
Fix CPI token program spoofing in
Create(validate SPL Token program id)Summary
This PR fixes a CPI program-id substitution vulnerability in the
Createinstruction by validating that the provided token program account is the official SPL Token program (spl_token::id()).Root cause (what was wrong)
process_createaccepted a caller-supplied “token program” account and used it as theprogram_idfor the tokentransferinstruction, then CPI-invoked it, without verifying it was actually SPL Token.process_unlockalready validated the token program id, butprocess_createdid not.Impact (why it matters)
A malicious caller could provide an arbitrary executable program ID in place of SPL Token and cause the vesting program to invoke that program during
Create. This breaks the invariant “Create always transfers via SPL Token” and is a known Solana CPI security footgun, especially in composable contexts.Fix
Createifspl_token_account.key != spl_token::id().Tests
test_create_rejects_invalid_token_program(solana-program-test) that registers a fake program and asserts:InvalidArgumentRun locally: