Behavior of multisig accounts with repeated signers
During our audit we observed that it is possible to initialize a multisig account with the same signer repeated multiple times.
The function used for validating the signers of a transaction, validate_owner
, counts a signer of a transaction as having signed it the exact number of times the account is repeated, regardless of how many times the account appears in the list of signers. Despite this being reasonable behavior, it is unclear if this specific edge case was considered.
The Solana Foundation engineering team acknowledged this discussion point.