Assessment reportsPublic findings
Back to Zellic site
Assessment reports>N1 Bridge>Informational findings>Usage of ,Pubkey, rather than ,Mint
GeneralOverview
Findings
High (1)
Informational (2)Associated Token Account check not enforced on withdrawal accountUsage of Pubkey rather than Mint
DiscussionBlock validationUnused accountsTest suite
Threat ModelWhat are threat models?bridge
Audit ResultsAssessment Results
Category: Coding Mistakes

Usage of Pubkey rather than Mint

Informational Severity
Informational Impact
N/A Likelihood

Description

In the whitelist_asset and set_min_deposit instructions, the asset to configure is supplied by the operator as a Pubkey in the instruction arguments:

#[instruction(asset: Pubkey, min_deposit: u64)]
pub struct WhitelistAsset<'info> {
    // ...
}
#[instruction(asset: Pubkey, min_deposit: u64)]
pub struct SetMinDeposit<'info> {
    // ...
}

The asset is intended to be a Solana Program Library (SPL) token mint, but this requirement is not set by the implementation.

Impact

The operator can whitelist an asset that is not an SPL token mint.

This does not cause any direct issues since the deposit_spl instruction derives the asset from the mint of a TokenAccount, but this should be fixed to prevent future security regressions.

Recommendations

The asset to configure should not be an instruction argument but instead a Mint account from the anchor-spl crate.

Remediation

This issue has been acknowledged by Layer N, and a fix was implemented in commit ed392f7c.

Zellic © 2025Back to top ↑