Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[solana] Refactoring transfer vesting #251

Merged
merged 4 commits into from
Feb 19, 2025
Merged

[solana] Refactoring transfer vesting #251

merged 4 commits into from
Feb 19, 2025

Conversation

djb15
Copy link
Contributor

@djb15 djb15 commented Feb 14, 2025

No description provided.

@soteria-bc
Copy link
Collaborator

Note

commit 8e26bac

After the refactoring, it seems the issue is not fully resolved.

Currently, in transfer_vesting, the checks for new_stake_account_metadata, stake_account_metadata, and delegate_stake_account_metadata are only performed when the corresponding vesting_balance.stake_account_metadata or new_vesting_balance.stake_account_metadata exists.

However, when vesting_balance.stake_account_metadata or new_vesting_balance.stake_account_metadata does not exist, there is no requirement that the corresponding account must be None. Instead, any StakeAccountMetadata account can be passed in, which leads to the following issue:

self.vesting_balance.stake_account_metadata != Pubkey::default() && self.new_vesting_balance.stake_account_metadata == Pubkey::default(): In this case, no restrictions will be applied to new_stake_account_metadata, allowing it to be any StakeAccountMetadata account. A malicious user could set it to stake_account_metadata. Since in account list, the new_stake_account_metadata comes after stake_account_metadata, any changes to stake_account_metadata will be ineffective.

/* solana/programs/staking/src/contexts/transfer_vesting.rs */
016 | pub struct TransferVesting<'info> {
081 |     #[account(mut)]
082 |     pub delegate_stake_account_checkpoints: Option<AccountLoader<'info, CheckpointData>>,
083 |     #[account(mut)]
084 |     pub delegate_stake_account_metadata: Option<Box<Account<'info, StakeAccountMetadata>>>,
085 |     #[account(mut)]
086 |     pub stake_account_metadata: Option<Box<Account<'info, StakeAccountMetadata>>>,
         // @audit: when `new_stake_account_metadata == stake_account_metadata`, all changes made on stake_account_metadata will be overwritten by new_stake_account_metadata
087 |     #[account(mut)]
088 |     pub new_stake_account_metadata: Option<Box<Account<'info, StakeAccountMetadata>>>,
093 | }

108 | pub fn transfer_vesting(
109 |     &mut self,
110 |     new_vest_bump: u8,
111 |     new_vesting_balance_bump: u8,
112 | ) -> Result<TransferVestingEvents> {
148 |     if self.vesting_balance.stake_account_metadata != Pubkey::default() {
149 |         if let (
150 |             Some(stake_account_metadata),
151 |         ) = (
152 |             &mut self.stake_account_metadata,
153 |         ) {
250 |             let new_recorded_vesting_balance = stake_account_metadata
251 |                 .recorded_vesting_balance
252 |                 .checked_sub(self.vest.amount)
253 |                 .ok_or(VestingError::Underflow)?;
254 | 
                  // @audit: changes made on stake_account_metadata.recorded_vesting_balance will be overwritten by `new_stake_account_metadata`
255 |             let recorded_vesting_balance_changed = stake_account_metadata
256 |                 .update_recorded_vesting_balance(new_recorded_vesting_balance);
265 |     }
266 | 
267 |     if self.new_vesting_balance.stake_account_metadata != Pubkey::default() {
272 |         if let (
273 |             Some(new_stake_account_metadata),
274 |         ) = (
275 |             &mut self.new_stake_account_metadata,
276 |         ) {
                  // @audit: check on `new_stake_account_metadata` only applies when `new_vesting_balance.stake_account_metadata != Pubkey::default()``
278 |             require!(
279 |                 new_stake_account_metadata.owner == self.new_vesting_balance.vester,
280 |                 VestingError::InvalidStakeAccountOwner
281 |             );
311 |     }

Do you think it's a good idea to enforce that the corresponding option account must be None when no write or read operation is needed for it.

@djb15
Copy link
Contributor Author

djb15 commented Feb 14, 2025
edited
Loading

@soteria-bc Nice catch! Yeah I'd like this instruction to become much more exhaustive. I'm refactoring this PR at the moment, will be updating soon

@soteria-bc
Copy link
Collaborator

soteria-bc commented Feb 17, 2025
edited
Loading

@soteria-bc Nice catch! Yeah I'd like this instruction to become much more exhaustive. I'm refactoring this PR at the moment, will be updating soon

Thanks! This exhaustive check looks great! It does simplify things a lot.

@mdulin2
Copy link

mdulin2 commented Feb 18, 2025

@soteria-bc I'm super impressed with your review of the fix. Thanks for taking it so seriously!

mdulin2
mdulin2 approved these changes Feb 18, 2025
View reviewed changes
Copy link

@mdulin2 mdulin2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has been a nightmare to handle. I'm hopeful we got the bugs out now. If not the contest will find them.

In my evaluation, I can't see anything wrong with it though. The derivation for the account PDAs is always verified, the optional accounts are handled better, the counting looks correct and the only case where duplicate accounts can be passed in is explicitly handled.

@djb15 djb15 merged commit 130d8c8 into main Feb 19, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mdulin2 mdulin2 mdulin2 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@djb15 @soteria-bc @mdulin2 @zpoken