Attack Chain

1. An attacker identifies a Solana program utilizing InterfaceAccount with Anchor version 1.0.0-rc.1.
2. The attacker crafts a malicious transaction that attempts to pass an account of an incorrect type to the program via InterfaceAccount.
3. The program, lacking discriminator checking due to the vulnerability, accepts the incorrect account.
4. The program attempts to process the provided account based on the expected type.
5. Due to type mismatch, the program may experience unexpected behavior, such as data corruption.
6. The attacker leverages the corrupted data to manipulate program logic.
7. The attacker is able to perform unauthorized actions within the Solana program.
8. This can lead to financial loss, unauthorized data access, or denial of service for other users.

Impact

The vulnerability allows attackers to substitute account types in Solana programs using the Anchor framework’s InterfaceAccount, potentially leading to data corruption and unauthorized actions. This impacts any Solana program using the vulnerable InterfaceAccount in anchor-lang version 1.0.0-rc.1. Successful exploitation could result in financial loss, data breaches, or denial-of-service for users of the affected Solana programs.

Recommendation

• Upgrade to the latest released version of Anchor 1.0 (>= 1.0.0-rc.2) as described in the advisory to patch the vulnerable InterfaceAccount type.
• Examine your Solana programs for uses of InterfaceAccount in conjunction with anchor-lang 1.0.0-rc.1 and prioritize patching these programs.
• Monitor Solana program activity for unexpected account interactions and type mismatches as a potential indicator of exploitation.