Description

The functions handling the confidential transfer instructions WithdrawWithheldTokensFromAccounts and WithdrawWithheldTokensFromMint ignore some of the restrictions that can be applied to confidential token accounts:

• allow_balance_credits: An account can be configured to deny credits to its pending balance.

• pending_balance_credit_counter: This value should be checked not to be greater than maximum_pending_balance_credit_counter. The instructions also do not increment pending_balance_credit_counter.

We note that these instructions directly add the entire value of the withheld balance to the pending_balance_lo of the destination account. This could potentially cause the pending balance to become bigger than $2^{16}$ or even $2^{32}$, making decryption of the balance difficult.

Impact

An attacker with control of the keys trusted with managing transfer fees could credit the encrypted pending balance of an account bypassing the configuration applied by the account owner and potentially make it difficult for the victim to decrypt the encrypted balance.

Recommendations

• Revert the transaction if allow_balance_credits is set on the destination account.

• Revert the transaction if pending_balance_credit_counter is not less than maximum_pending_balance_credit_counter. Increment pending_balance_credit_counter after the transfer taken place.

Since the value of the transferred balances is encrypted, limiting the transferred value to avoid overflowing the soft amount of $2^{32}$ is challenging and would require extensive modifications.

Remediation

Pull request #3774↗ fixes the issue following our recommendation. The PR head commit 16384e2 was merged in the master branch on October 28, 2022.

The confidential token transfer extension was not used at the time the audit was conducted; therefore, funds were not at risk.