{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/solana-foundation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["anchor-lang"],"_cs_severities":["high"],"_cs_tags":["anchor","solana","account-validation","cpi-bypass"],"_cs_type":"advisory","_cs_vendors":["Solana Foundation"],"content_html":"\u003cp\u003eAnchor is a framework for building Solana programs. A validation vulnerability exists in anchor-lang versions 1.0.0 and 1.0.1 where programs built with anchor incorrectly validate the \u003ccode\u003esystem_program\u003c/code\u003e account. Specifically, the \u003ccode\u003eTryFrom\u003c/code\u003e implementation for \u003ccode\u003eProgram\u0026lt;'a, T\u0026gt;\u003c/code\u003e compares the ID of T with \u003ccode\u003ePubkey::default()\u003c/code\u003e to check whether anchor should allow any executable account or a specific account. Due to this logic, both \u003ccode\u003eT = ()\u003c/code\u003e and \u003ccode\u003eT = System\u003c/code\u003e exhibit the same behavior, allowing any executable account. This flaw allows attackers to pass arbitrary program IDs instead of the system program ID, causing false assumptions and enabling potential CPI and payment bypasses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Anchor program (version 1.0.0 or 1.0.1) that uses the \u003ccode\u003eProgram\u0026lt;'info, System\u0026gt;\u003c/code\u003e type to ensure a valid system program account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious transaction, replacing the expected system program ID with the ID of a program they control (e.g., the Compute Budget program, or a custom program).\u003c/li\u003e\n\u003cli\u003eThe vulnerable program\u0026rsquo;s \u003ccode\u003eInitialize\u003c/code\u003e function receives the attacker-provided program ID as the \u003ccode\u003esystem_program\u003c/code\u003e account.\u003c/li\u003e\n\u003cli\u003eDue to the flawed validation logic, the Anchor runtime incorrectly accepts the attacker-provided program ID as a valid system program.\u003c/li\u003e\n\u003cli\u003eThe vulnerable program constructs a transfer instruction using the (incorrect) attacker-supplied program ID.\u003c/li\u003e\n\u003cli\u003eThe program invokes the transfer instruction, intending to transfer lamports using the system program. However, because the program ID is controlled by the attacker, no transfer occurs, or the transfer is redirected to an attacker-controlled program based on the malicious program logic.\u003c/li\u003e\n\u003cli\u003eThe vulnerable program proceeds under the false assumption that the transfer has succeeded, potentially leading to incorrect state updates.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses intended restrictions and potentially gains control of accounts meant to be owned by the system program, or blocks transfers.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability impacts on-chain programs that depend on the system program, potentially leading to CPI bypasses and unauthorized payment diversions. This could result in financial losses and compromised program functionality. The vulnerability affects programs using \u003ccode\u003erust/anchor-lang\u003c/code\u003e in versions 1.0.0 and 1.0.1. The severity of the vulnerability is rated as high due to the potential for significant financial impact and unauthorized account control.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003erust/anchor-lang\u003c/code\u003e to version 1.0.2 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Anchor Program ID Validation Bypass\u003c/code\u003e to identify potential exploitation attempts targeting the vulnerable validation logic.\u003c/li\u003e\n\u003cli\u003eAudit existing Anchor programs for improper system program account validation, specifically examining the \u003ccode\u003eTryFrom\u0026lt;\u0026amp;'a AccountInfo\u0026lt;'a\u0026gt;\u0026gt;\u003c/code\u003e implementation for \u003ccode\u003eProgram\u0026lt;'a, T\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUse static analysis tools to detect vulnerable code patterns in Anchor programs that rely on system program interactions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T15:37:02Z","date_published":"2026-05-13T15:37:02Z","id":"https://feed.craftedsignal.io/briefs/2026-05-anchor-program-validation-bypass/","summary":"A logic error in anchor-lang versions 1.0.0 to 1.0.1 causes anchor programs to accept any program ID when requiring the system program ID, resulting in false assumptions that could lead to arbitrary CPI in programs invoking system program instructions, potentially leading to validation bypass and unauthorized account control.","title":"Anchor Program Validation Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-anchor-program-validation-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["anchor-lang"],"_cs_severities":["medium"],"_cs_tags":["anchor","solana","interfaceaccount","account-substitution"],"_cs_type":"advisory","_cs_vendors":["Solana Foundation"],"content_html":"\u003cp\u003eA vulnerability exists within the \u003ccode\u003eInterfaceAccount\u003c/code\u003e type in the \u003ccode\u003eanchor-lang\u003c/code\u003e package of the Anchor framework. This flaw allows for the substitution of account types because discriminator checking was unintentionally disabled in pull request #3837. An attacker could potentially exploit this by passing an account of an unexpected type, leading to unexpected behavior in Solana programs. The vulnerability affects version 1.0.0-rc.1. The fix was implemented in pull request #4139 and released in \u003ccode\u003e1.0.0-rc.2\u003c/code\u003e. Users are strongly advised to upgrade to the latest released version of Anchor 1.0 to mitigate this risk. This impacts programs utilizing the Anchor framework on the Solana blockchain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Solana program utilizing \u003ccode\u003eInterfaceAccount\u003c/code\u003e with Anchor version 1.0.0-rc.1.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious transaction that attempts to pass an account of an incorrect type to the program via \u003ccode\u003eInterfaceAccount\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe program, lacking discriminator checking due to the vulnerability, accepts the incorrect account.\u003c/li\u003e\n\u003cli\u003eThe program attempts to process the provided account based on the expected type.\u003c/li\u003e\n\u003cli\u003eDue to type mismatch, the program may experience unexpected behavior, such as data corruption.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the corrupted data to manipulate program logic.\u003c/li\u003e\n\u003cli\u003eThe attacker is able to perform unauthorized actions within the Solana program.\u003c/li\u003e\n\u003cli\u003eThis can lead to financial loss, unauthorized data access, or denial of service for other users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows attackers to substitute account types in Solana programs using the Anchor framework\u0026rsquo;s \u003ccode\u003eInterfaceAccount\u003c/code\u003e, potentially leading to data corruption and unauthorized actions.  This impacts any Solana program using the vulnerable \u003ccode\u003eInterfaceAccount\u003c/code\u003e in \u003ccode\u003eanchor-lang\u003c/code\u003e version 1.0.0-rc.1. Successful exploitation could result in financial loss, data breaches, or denial-of-service for users of the affected Solana programs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to the latest released version of Anchor 1.0 (\u0026gt;= 1.0.0-rc.2) as described in the advisory to patch the vulnerable \u003ccode\u003eInterfaceAccount\u003c/code\u003e type.\u003c/li\u003e\n\u003cli\u003eExamine your Solana programs for uses of \u003ccode\u003eInterfaceAccount\u003c/code\u003e in conjunction with \u003ccode\u003eanchor-lang\u003c/code\u003e 1.0.0-rc.1 and prioritize patching these programs.\u003c/li\u003e\n\u003cli\u003eMonitor Solana program activity for unexpected account interactions and type mismatches as a potential indicator of exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T15:36:36Z","date_published":"2026-05-13T15:36:36Z","id":"https://feed.craftedsignal.io/briefs/2026-05-anchor-interfaceaccount-substitution/","summary":"The `InterfaceAccount` in `anchor-lang` allows an unexpected account type to be passed due to disabled discriminator checking, patched in version 1.0.0-rc.2 and later.","title":"Anchor: InterfaceAccount Allows Account Substitution","url":"https://feed.craftedsignal.io/briefs/2026-05-anchor-interfaceaccount-substitution/"}],"language":"en","title":"CraftedSignal Threat Feed — Solana Foundation","version":"https://jsonfeed.org/version/1.1"}