Category: Coding Mistakes
Usage of Pubkey
rather than Mint
Informational Severity
Informational Impact
N/A Likelihood
Description
In the whitelist_asset
and set_min_deposit
instructions, the asset to configure is supplied by the operator as a Pubkey
in the instruction arguments:
#[instruction(asset: Pubkey, min_deposit: u64)]
pub struct WhitelistAsset<'info> {
// ...
}
#[instruction(asset: Pubkey, min_deposit: u64)]
pub struct SetMinDeposit<'info> {
// ...
}
The asset is intended to be a Solana Program Library (SPL) token mint, but this requirement is not set by the implementation.
Impact
The operator can whitelist an asset that is not an SPL token mint.
This does not cause any direct issues since the deposit_spl
instruction derives the asset from the mint
of a TokenAccount
, but this should be fixed to prevent future security regressions.
Recommendations
The asset to configure should not be an instruction argument but instead a Mint
account from the anchor-spl crate.
Remediation
This issue has been acknowledged by Layer N, and a fix was implemented in commit ed392f7c↗.