Assessment reportsPublic findings
Back to Zellic site
Assessment reports>SPL Token 2022>Discussion>Confusing check
GeneralOverview
Findings
Critical (2)
High (1)
Low (3)
DiscussionMultisig account behaviorUnclear purposeUnnecessary initialization checkConfusing checkAlternative extension dedupAppendix
Audit ResultsAudit Results

Confusing account owner check

Account ownership checks are performed using a couple of different patterns throughout the codebase. The main two checks are via validate_owner(...) and check_program_account(...), which work well. One area of confusion, though, is that calling get_required_account_extensions_from_unpacked_mint(...) performs an account ownership check. It is suggested that this check be migrated into StateWithExtensions::unpack and StateWithExtensionsMut::unpack. The SWE and SWEM unpack methods are only used with accounts that the program should own and would increase the resiliency of the codebase by mitigating a potential future situation where an account or mint is unpacked and data are used for some decision but program ownership failed to be checked.

The Solana Foundation engineering team acknowledged this discussion point.

Zellic © 2024Back to top ↑