Skip to content

fix(svm): M-01 Deposit Tokens Transferred from Depositor Token Account Instead of Signer #971

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 35 commits into from
Apr 23, 2025
Merged

fix(svm): M-01 Deposit Tokens Transferred from Depositor Token Account Instead of Signer #971

merged 35 commits into from
Apr 23, 2025

Conversation

md0x
Copy link
Contributor

@md0x md0x commented Apr 23, 2025

OZ identified the following issue:

A deposit action to the SpokePool program is meant to [pull tokens from the caller](https://github.com/across-protocol/contracts/blob/71e990b3f908ecf994be8723e041b584c7d49318/programs/svm-spoke/src/lib.rs#L213) (i.e., the [signer](https://github.com/across-protocol/contracts/blob/71e990b3f908ecf994be8723e041b584c7d49318/programs/svm-spoke/src/instructions/deposit.rs#L30)) which may be deposited on behalf of any depositor account. However, when the signer is not the depositor, a transfer_from operation is performed with the [depositor token account as the source address](https://github.com/across-protocol/contracts/blob/71e990b3f908ecf994be8723e041b584c7d49318/programs/svm-spoke/src/instructions/deposit.rs#L105). Such an operation would fail unless the depositor had delegated at least the input amount to the state PDA. This presents two consequences:

The signer will not be able to deposit for another account, disabling the intended feature of an [account being able to deposit on behalf of someone else](https://github.com/across-protocol/contracts/blob/71e990b3f908ecf994be8723e041b584c7d49318/programs/svm-spoke/src/lib.rs#L210).

If any token account delegates to the state PDA, then it is possible for anyone to call the deposit function, passing the victim's account as the [depositor_token_account](https://github.com/across-protocol/contracts/blob/71e990b3f908ecf994be8723e041b584c7d49318/programs/svm-spoke/src/instructions/deposit.rs#L45) and performing a successful deposit with arbitrary arguments other than the input token and amount. A malicious user could then submit a deposit with their own recipient address to steal depositor funds. This is possible due to the state PDA being passed as the [authority and signer seed](https://github.com/across-protocol/contracts/blob/71e990b3f908ecf994be8723e041b584c7d49318/programs/svm-spoke/src/utils/transfer_utils.rs#L19-L28) to the transfer_checked call, which, when delegated to, will pass [the transfer validation logic](https://docs.rs/spl-token/latest/src/spl_token/processor.rs.html#274). Note that this scenario is mitigated by the fact that native instruction batching in Solana transactions would typically involve delegation and transferring in one operation, making such a front-running scenario less likely but still possible.

Consider validating the signer token account in the same way as depositor_token_account, and performing the transfer from the signer token account.

We replaced the one “state” PDA with two distinct PDAs—one for deposit and one for fill_relay. Now users must explicitly delegate to the correct PDA before anyone can pull their tokens, restoring safe third‑party deposits and eliminating the risk of a single authority being misused to steal funds.

md0x and others added 30 commits April 23, 2025 15:25
@md0x
fix(svm): M-01 Deposit Tokens Transfers
4da1f98 
Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
@md0x
feat: use unchecked account
068b1b2 
Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
@md0x
feat: remove system acc
5d46bde 
Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
@md0x
fix: deposit tests
ce1cee6 
Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
@md0x
fix: fill tests
d108e19 
Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
@md0x
refactor: rename and comments
8756179 
Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
@md0x
fix: across plus
52ee33a 
Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
@Reinis-FRP @md0x
fix(svm): pin rust toolchain for solana (#960)
b02556e 
* fix(svm): pin rust toolchain for solana

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: add local toolchain

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: add rustfmt to nightly

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: pin nightly in lint scripts

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

---------

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>
@md0x
refactor: rename and organize function
e3ee381 
Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
@md0x
feat: update deposit delegate seed
e0d21a3 
Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
@md0x
feat: use relay_hash from function arguments
c2c40a1 
Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
@md0x
fix: heap memory error
59ae8e0 
Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
@md0x
fix
56298f8 
Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
@md0x
refactor: cleanup
b5ce6b9 
Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
@md0x
fix: deposit checks
8406da6 
Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
@md0x
fix: fill tests
62bfbf6 
Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
@md0x
fix: fill relay delagate
75f3285 
Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
@md0x
fix: fill
ec55a8c 
Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>
@md0x
refactor: simplify
f257772 
Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>
@md0x
refactor: cleanup
647ad44 
Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>
@md0x
test: update fill tests
2a7e9e0 
Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>
@md0x
refactor: comments
f2e9b6f 
Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>
@md0x
fix: scripts
abdb7b2 
Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>
@md0x
refactor: make seed structs private
03464e1 
Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>
@md0x
feat: add missing params to deposit hashes
b7dd47a 
Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>
@md0x
refactor: simplify
64a9c44 
Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>
@md0x
refactor: delegate utils
be25f5e 
Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>
@md0x
refactor: anchor serialize
d2de4af 
Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>
@md0x
refactor: reuse helper deriveSeedHash
76dfb2d 
Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>
@Reinis-FRP @md0x
fix: move paused fills check in handler
5dcf450 
Signed-off-by: Reinis Martinsons <reinis@umaproject.org>
md0x and others added 2 commits April 23, 2025 15:28
@md0x
feat: improvements
e617c45 
Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>
@Reinis-FRP @md0x
fix: remove program_id from transfer_from params
f0f18f9 
Signed-off-by: Reinis Martinsons <reinis@umaproject.org>
@linear Linear
Copy link

linear bot commented Apr 23, 2025

ACX-4021 M-01 Deposit Tokens Transferred from Depositor Token Account Instead of Signer

Reinis-FRP
Reinis-FRP reviewed Apr 23, 2025
View reviewed changes
.github/workflows/pr.yml Outdated
@@ -28,11 +28,11 @@ jobs:
- name: Install Cargo toolchain
uses: actions-rs/toolchain@v1
with:
toolchain: nightly
toolchain: nightly-2025-04-01
Copy link
Contributor

@Reinis-FRP Reinis-FRP Apr 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

toolchain chainges should have been merged in the solana-march-audit-2 branch already

md0x added 3 commits April 23, 2025 15:53
@md0x
Merge branch 'solana-march-audit-2' into pablo/acx-4021-m-01-deposit-…
42be4cc 
…tokens-transferred-from-depositor
@md0x
fix: fill import
2e3aa77 
Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>
@md0x
fix: tests
fc92b94 
Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>
@md0x md0x marked this pull request as ready for review April 23, 2025 15:45
@md0x md0x requested a review from Reinis-FRP April 23, 2025 15:45
@md0x md0x merged commit 58f2665 into solana-march-audit-2 Apr 23, 2025
9 checks passed
@md0x md0x deleted the pablo/acx-4021-m-01-deposit-tokens-transferred-from-depositor branch April 23, 2025 17:10
Reinis-FRP added a commit that referenced this pull request May 21, 2025
@md0x @Reinis-FRP @chrismaree
Solana march audit 2 (#995)
94c9692 
* feat(svm): remove enabled deposit route check (#939)

* feat(svm): remove enabled deposit route check

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: remove create_vault ix

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* Update scripts/svm/simpleDeposit.ts

Co-authored-by: Chris Maree <christopher.maree@gmail.com>

* fix: update comment

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

---------

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>
Co-authored-by: Chris Maree <christopher.maree@gmail.com>

* feat(svm): test native sol deposits (#942)

* feat(svm): test native sol deposits

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: merge issues

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

---------

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix(svm): pin rust toolchain for solana (#960) (#961)

* fix(svm): pin rust toolchain for solana



* fix: add local toolchain



* fix: add rustfmt to nightly



* fix: pin nightly in lint scripts



---------

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix(svm): M-01 Deposit Tokens Transferred from Depositor Token Account Instead of Signer (#971)

* fix(svm): M-01 Deposit Tokens Transfers

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* feat: use unchecked account

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* feat: remove system acc

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix: deposit tests

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix: fill tests

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* refactor: rename and comments

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix: across plus

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix(svm): pin rust toolchain for solana (#960)

* fix(svm): pin rust toolchain for solana

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: add local toolchain

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: add rustfmt to nightly

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: pin nightly in lint scripts

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

---------

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* refactor: rename and organize function

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* feat: update deposit delegate seed

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* feat: use relay_hash from function arguments

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix: heap memory error

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* refactor: cleanup

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix: deposit checks

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix: fill tests

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix: fill relay delagate

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix: fill

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* refactor: simplify

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* refactor: cleanup

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* test: update fill tests

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* refactor: comments

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* fix: scripts

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* refactor: make seed structs private

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* feat: add missing params to deposit hashes

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* refactor: simplify

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* refactor: delegate utils

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* refactor: anchor serialize

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* refactor: reuse helper deriveSeedHash

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* fix: move paused fills check in handler

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* feat: improvements

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* fix: remove program_id from transfer_from params

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: fill import

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* fix: tests

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

---------

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
Signed-off-by: Reinis Martinsons <reinis@umaproject.org>
Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>
Co-authored-by: Reinis Martinsons <77973553+Reinis-FRP@users.noreply.github.com>
Co-authored-by: Reinis Martinsons <reinis@umaproject.org>

* fix(svm): N-01 remove v3 from remaining functions and comments (#964)

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix(svm): L-01 create new vault on deposit if needed (#957)

* fix(svm): L-01 create new vault on deposit if needed

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: use stable toolchain in ci

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix(svm): pin rust toolchain for solana (#960)

* fix(svm): pin rust toolchain for solana

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: add local toolchain

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: add rustfmt to nightly

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: pin nightly in lint scripts

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

---------

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

---------

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix(svm): N-02 clarify documentation (#963)

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix(svm): N-03 use consistent variable names in the instruction constraint (#962)

* fix(svm): pin rust toolchain for solana (#960)

* fix(svm): pin rust toolchain for solana

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: add local toolchain

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: add rustfmt to nightly

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: pin nightly in lint scripts

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

---------

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix(svm): N-03 use consistent variable names in the instruction constraint

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: restore relay_hash naming in FillRelay context

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

---------

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* feat: update toolchain

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* feat: update toolchain bis

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* fix: delete old scripts

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* fix: across plus codama test

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* fix: fill test codama

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* feat: bump version

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* fix: bump version

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

---------

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>
Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>
Co-authored-by: Reinis Martinsons <77973553+Reinis-FRP@users.noreply.github.com>
Co-authored-by: Chris Maree <christopher.maree@gmail.com>
Co-authored-by: Reinis Martinsons <reinis@umaproject.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Reinis-FRP Reinis-FRP Reinis-FRP approved these changes

@mrice32 mrice32 Awaiting requested review from mrice32

@nicholaspai nicholaspai Awaiting requested review from nicholaspai

@chrismaree chrismaree Awaiting requested review from chrismaree

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@md0x @Reinis-FRP