Skip to content

Lazer solana audit fixes #2250

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jan 14, 2025
Merged

Lazer solana audit fixes #2250

merged 3 commits into from
Jan 14, 2025

Conversation

Riateche
Copy link
Contributor

@Riateche Riateche commented Jan 13, 2025
edited
Loading

  • Disallow config account migration if it's already migrated. Repeatedly applied migration could overwrite the config account in an invalid way.
  • Fetch message data from the instructions sysvar based on the signature program arguments when verifying instead of trusting the caller to pass correct message_data and message_offset. Generally, it was the caller contract's responsibility to make sure they specify message_data and message_offset correctly regardless of the untrusted input. However, this looks unsafe in non-CPI scenario (even though that scenario is not intended for use) and opens a possibility of an incorrect use via CPI. The new approach does not require passing message_offset and verifies that message_data equals the data at the offset for the verified signature.

@vercel Vercel
Copy link

vercel bot commented Jan 13, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
api-reference ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jan 14, 2025 11:26am
proposals ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jan 14, 2025 11:26am
staking ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jan 14, 2025 11:26am
2 Skipped Deployments
Name Status Preview Comments Updated (UTC)
component-library ⬜️ Ignored (Inspect) Visit Preview Jan 14, 2025 11:26am
insights ⬜️ Ignored (Inspect) Visit Preview Jan 14, 2025 11:26am

@Riateche Riateche mentioned this pull request Jan 13, 2025
Merged
@Riateche Riateche force-pushed the lazer-solana-audit-fixes branch from 7f2cabe to 04ae0d2 Compare January 14, 2025 11:23
@Riateche Riateche marked this pull request as ready for review January 14, 2025 11:36
ali-behjati
ali-behjati approved these changes Jan 14, 2025
View reviewed changes
Copy link
Collaborator

@ali-behjati ali-behjati left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@Riateche Riateche merged commit eb7f460 into main Jan 14, 2025
9 checks passed
@Riateche Riateche deleted the lazer-solana-audit-fixes branch January 14, 2025 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ali-behjati ali-behjati ali-behjati approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Riateche @ali-behjati