bolt icon indicating copy to clipboard operation
bolt copied to clipboard

Published 20 hours ago verified publisher icon magicblock-labs

fix: :bug: Components CPI caller check

Open iamnamananand996 opened this issue 4 months ago • 0 comments

Status Type ⚠️ Core Change Issue
Ready Bug Yes #29

Problem

  • Components make use of solana_program::sysvar::instructions::get_instruction_relative to enforce that they are called from CPI and the identify of the caller, This may contains a bug, since a transaction could contain a valid instruction at index [0], but be malicious.

Full description is available: https://github.com/magicblock-labs/bolt/issues/29#issuecomment-2408909957

Solution

To correctly determine if your program was called via CPI, you should:

  • Use get_instruction_relative(-1, ...): This will attempt to retrieve the instruction that called the currently executing instruction. If the program was called directly, there will be no instruction at index -1, and the function will return an error.

  • Check for Errors: If get_instruction_relative(-1, ...) returns an Err, it means the program was called directly. If it returns Ok, you can proceed, knowing it was called via CPI.

cc - @GabrielePicco

iamnamananand996 avatar Oct 13 '24 10:10 iamnamananand996