Description

The process_create_mint instruction takes in a variety of accounts as arguments to construct a wrapped token mint. One of the accounts, the unwrapped_mint_account, corresponds to the account that the wrapped mint should be based on. The idea is that the wrapped mint should be based on a current, legitimate mint, as suggested by the implementation in that the function deserializes the account, copying relevant information, to craft a new mint that wraps the source mint's tokens.

This function is missing an important constraint. The unwrapped_mint_account is deserialized, confirming that the account's data matches that of a mint account, but the ownership is never checked. This means that any account can be supplied, as long as it deserializes as expected. Thankfully, given the escrow mechanism of the wrapping, this new pseudo mint should not be usable but may break third parties not anticipating the deviant mint.

Impact

Wrapped token mints can be created that do not correspond to a legitimate source mint.

Recommendations

Add an ownership check on the mint to confirm that it belongs to either the SPL Token or SPL Token 2022 program to ensure the source mint is legitimate.

Remediation

This issue has been acknowledged by Anza, and a fix was implemented in commit 5cc59df2↗.