Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Chainflip>Informational findings>Potential seed collision
GeneralOverview
Findings
Informational (3)Size calculation for program accountsPotential seed collisionThe CloseEventAccounts event emitted without validating event account
Threat ModelWhat are threat models?swap-endpointvault
Audit ResultsAssessment Results
Category: Coding Mistakes

Potential seed collision

Informational Severity
Informational Impact
N/A Likelihood

Description

It was found that PDA accounts in both vault and swap-endpoint programs do not use constant prefixes with pubkeys to derive the PDA addresses. 

#[account(
    init_if_needed,
    seeds = [deposit_channel_associated_token_account.key().as_ref()],
    bump,
    payer = agg_key,
    space = size_of::<DepositChannelHistoricalFetch>() + DISCRIMINATOR_SIZE,
)]

Impact

This might result in seed collisions in case of any future updates to the code.

Recommendations

It is recommended to use constant prefixes with pubkeys to derive the PDA addresses.

Remediation

This issue has been acknowledged by Chainflip, and a fix was implemented in commit 5c784600.

Zellic © 2024Back to top ↑