Arbitrary Program Call in Solana
Description
An attacker may be able to invoke arbitrary programs without address validations, potentially leading to unauthorized actions.
Examples
Insecure Code
rust
struct MyStruct<'info> { my_account: UncheckedAccount<'info> }... solana_program::program::invoke(...)Secure Code
rust
struct MyStruct<'info> { my_account: UncheckedAccount<'info> }... if my_account.key == expected_key { solana_program::program::invoke(...) }Remediation
Validate the account address before invoking the program to prevent arbitrary program calls.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0204 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-20 |
| Confidence | LOW |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | solana, arbitrary-program-call |
| OWASP | N/A |