verify_message
This instruction can be used to verify the legitimacy of a price feed update.
The instruction handler collects the required fee amount specified by the single_update_fee_in_lamports
of the storage
account, transferring it from the payer
account to the treasury
account.
It then verifies that the message data was correctly signed by ensuring that the transaction contains an instruction invoking the ed25519 system program which ensures a price feed update was validly signed by one of the currently active trusted signers.
Verification of the ed25519 instruction requires several checks, including:
ensuring that the instruction indices used to retrieve the signature, public key, and signed message by the ed25519 instruction refer to the current
verify_message
instructionensuring that the ed25519 instruction index is lower than the current
verify_message
instruction(implicitly) ensuring that at least one signature is present
ensuring that the signed data starts with the magic value
SOLANA_FORMAT_MAGIC_LE
(2182742457
) to disambiguate messages that may have been signed for other purposesensuring the signer pubkey appears in the set of trusted signers
ensuring the signer trust has not expired
ensuring that the offsets for the signature, signer pubkey, and payload provided to the ed25519 instruction are consistent with the offsets used by
verify_message
ensuring that the payload length is consistent
Note that the offset checks are implemented incorrectly, allowing a complete bypass of the signature verification checks. Refer to finding ref↗ for a more in-depth discussion of the issue.
Arguments
message_data
: signed message that is being verifieded25519_instruction_index
: index of theed25519_program
instruction within the transaction. This instruction must precede the current instructionsignature_index
: index of the signature within the inputs to theed25519_program
message_offset
: offset of the signed message within the input data for the current instruction
Accounts
payer
: account paying for the price feed verification feesAnchor flags: signer, mut
storage
: account storing Lazer configurationSeed:
STORAGE_SEED
(fixed constant)Notes: the storage account must have been migrated, deserialization would fail for a legacy-layout account due to mismatching size
treasury
: Treasury token account used to collect feesChecks: Must match the
treasury
field of thestorage
account
instructions_sysvar
: Sysvar account used for instruction introspectionNotes: this is taken as a raw AccountInfo; the account ID is checked by the Solana SDK functions that receive it as an argument
Tests
Positive cases
Negative cases
Note: this test was added as part of the remediations