solana-lints icon indicating copy to clipboard operation
solana-lints copied to clipboard
verified publisher icon crytic

detect implicit signer check

Open 0xalpharush opened this issue 2 years ago • 0 comments

The missing signer check lint will warn on the from account despite being implicitly checked by the system's transfer instruction (It creates an instruction with AccountMeta:new(from, is_signer:true)). We can check if accounts are used in instructions for which they are required to be signers to improve the precision.

Example false positive:

pub fn my_transfer_func<'a>(
    from: &AccountInfo<'a>,
    to: &AccountInfo<'a>,
    system_program: &AccountInfo<'a>,
    amount: u64,
) -> Result<(), ProgramError> {
    let instruction = transfer(from.key, to.key, amount);
    // [...]
    invoke(
        &instruction,
        &[from.clone(), to.clone(), system_program.clone()],
    )?;
    Ok(())
}

0xalpharush avatar May 23 '23 18:05 0xalpharush