- Reported
-
- Issued
-
- Package
-
anchor-lang
(crates.io)
- Type
-
Vulnerability
- Keywords
-
#solana
#anchor
#account-validation
#interface-account
- Aliases
-
- References
-
- CVSS Score
- 8.7
HIGH
- CVSS Details
-
- Attack Complexity
- Low
- Attack Requirements
- None
- Attack Vector
- Network
- Privileges Required
- None
- Availability Impact to the Subsequent System
- None
- Confidentiality Impact to the Subsequent System
- None
- Integrity Impact to the Subsequent System
- None
- User Interaction
- None
- Availability Impact to the Vulnerable System
- None
- Confidentiality Impact to the Vulnerable System
- None
- Integrity Impact to the Vulnerable System
- High
- CVSS Vector
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
- Patched
-
- Unaffected
-
Description
Affected versions of anchor-lang allowed InterfaceAccount to accept accounts
with an unexpected Anchor discriminator. A change to InterfaceAccount caused
checked deserialization to be bypassed for this account wrapper, so validation
proved only that the account owner matched one of the accepted interface owners.
It did not prove that the account data belonged to the expected account type.
Programs using InterfaceAccount rely on Anchor to enforce both owner and
account-type validation before the handler runs. With discriminator checking
disabled, an attacker could pass another account type owned by an accepted
program and have it deserialized through the expected interface wrapper. This
could bypass account-type assumptions made by the program and lead to incorrect
authorization or state handling.
The issue was fixed in anchor-lang 1.0.0-rc.2 by restoring checked
deserialization for InterfaceAccount::try_from, while keeping explicitly
unchecked behavior available only through the unchecked API. Users should
upgrade to anchor-lang 1.0.0-rc.2 or later.
Advisory available under CC-BY-4.0
license.
Source: https://github.com/otter-sec/anchor/security/advisories/GHSA-429q-fhh4-r6hj