solana-lints icon indicating copy to clipboard operation
solana-lints copied to clipboard
verified publisher icon crytic

4-initialization lint notes

Open oslfmt opened this issue 3 years ago • 1 comments

This PR is not meant to be merged (but could be in the future if a lint strategy is created). The only notable file in this PR is in ui/recommended/init_expansion.rs. I was trying to figure out what exactly anchor does to fix this exploit with their [#account(init)] macro, and see if it might provide some insight into what exactly "initialization" of an account means. This file contains the macro expansion (all of it happens in the try_accounts() method as far as I can tell). The init attribute expands to a large block of code, and I've made comments on the parts I found more interesting.

Some other miscellaneous notes:

  • Initialization seems to have to do something with allocating space. This happens in both the Anchor expansion and in the SPL token library
  • In the Anchor expansion, there is different logic depending on if the account has lamports or not. If not, it just calls the system program to create an instruction for creating accounts. But if it does have some lamports, it does some other actions like allocating space and assigning an owner. This is interesting and I'm not sure why they do this.
  • This function here is in the SPL token library and processes an "initialize_account" instruction. With regards to initialization, (one of) the important lines is here, which, as the comment above mentions, checks if the account is already initialized or not. The check in reference happens exactly on this line, which calls is_initialized. That checks if the account.state is equal to a certain enum variant. Thus, the Account struct uses an enum to tell if an account has already been initialized. However, a bool could just as easily be used, as is done in the Mint struct here. So a common "initialization" flag may be either an enum or bool. I can't think of an easy way to detect if the enum/bool is meant to be used as as initialization flag or not though, besides checking it's Ident??

In summary, a lint for this exploit could be made by:

  1. Finding out what exactly initialization of an account entails, and use this to detect an initialization happening.
  2. Check if the AccountInfo.data struct contains an "initialization flag". The SPL token library has a flag in their Mint and Account structs, and it seems like this is a reasonable way to not reinitialize accounts.

oslfmt avatar Aug 16 '22 02:08 oslfmt

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar Dec 30 '22 21:12 CLAassistant