-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Example #2 Owner Checks #25
Comments
I am guessing this is because there isn't a check that the account is owned by the TokenProgram? |
First, the code attempts to log a message after deserializing the provided account (token) using the SplTokenAccount::unpack utility from the spl_token crate. However, it does not verify that the token account is indeed owned by the expected token program (such as the SPL Token program). use anchor_lang::prelude::*; // ... (rest of the code) #[program]
} // ... (rest of the code) By adding the check to ensure the token account is owned by the correct Token program, the code becomes more secure and prevents unauthorized accounts from passing the checks. This way, we can avoid potential security vulnerabilities and maintain the integrity of the program's operations. |
In this example, the account was deserialized with the SplTokenAccount util and owner check is performed after. Why is this example insecure other than not deserializing with the Anchor TokenAccount struct?
The text was updated successfully, but these errors were encountered: