Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Pyth Lazer>Threat Model>initialize
GeneralOverview
Findings
Critical (1)
Low (1)
Threat ModelProgram: Lazerinitializemigrate_from_0_1_0updateverify_message
Audit ResultsAssessment Results

initialize

This instruction can be used to create and initialize the singleton storage account. The instruction handler function does not enforce access control, and therefore it could technically be invoked by any caller. However, the storage account being created has a fixed seed. For this reason, initialize can only be called once. While this does not directly prevent someone to race to call the instruction and initialize the storage account, this action would be detected and could be addressed by simply redeploying and reinitializing a new instance of the program.

The storage account top_authority and treasury fields are initialized to public key values given as arguments to the initialize instruction, and single_update_fee_in_lamports is initialized to 1.

Arguments

  • top_authority: public key value used to initialize the top_authority field in the newly created storage account

  • treasury: public key value used to initialize the treasury field in the newly created storage account

Accounts

  • payer: account paying for the fees needed to create the storage account

    • Anchor flags: signer, mut

  • storage: new account being initialized

    • Anchor flags: init

    • Payer: payer

    • Seed: STORAGE_SEED (fixed constant)

    • Space: manually specified

Tests

Happy path behavior is implicitly tested by the testsuite setup routines.

Zellic © 2025Back to top ↑