Description

The vault program uses the Anchor framework, which uses Borsh serialization for program accounts. It was found that core::mem::size_of was used to compute the size to be reserved for multiple program accounts.

#[account(
    init,
    seeds = [&DATA_ACCOUNT_SEED],
    bump,
    payer = initializer,
    space = size_of::<DataAccount>() + DISCRIMINATOR_SIZE,
)]
pub data_account: Account<'info, DataAccount>

This is currently not an issue because the types being used for the current program structures just happen to have the same sizes with Borsh and native Rust types. However, there are types for which Borsh sizing varies.

Impact

The computed size could be smaller if changes are made to any of these structures in the future.

Recommendations

It is recommended to use the Anchor InitSpace macro to compute the sizes instead.

Remediation

This issue has been acknowledged by Chainflip, and a fix was implemented in commit 1cb51482↗.