Skip to content

fix(svm): M-01 Deposit Tokens Transferred from Depositor Token Account Instead of Signer #958

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 33 commits into from
Apr 23, 2025
Merged

fix(svm): M-01 Deposit Tokens Transferred from Depositor Token Account Instead of Signer #958

merged 33 commits into from
Apr 23, 2025

Conversation

md0x
Copy link
Contributor

@md0x md0x commented Apr 16, 2025
edited
Loading

OZ identified the followin issue:

A deposit action to the SpokePool program is meant to [pull tokens from the caller](https://github.com/across-protocol/contracts/blob/71e990b3f908ecf994be8723e041b584c7d49318/programs/svm-spoke/src/lib.rs#L213) (i.e., the [signer](https://github.com/across-protocol/contracts/blob/71e990b3f908ecf994be8723e041b584c7d49318/programs/svm-spoke/src/instructions/deposit.rs#L30)) which may be deposited on behalf of any depositor account. However, when the signer is not the depositor, a transfer_from operation is performed with the [depositor token account as the source address](https://github.com/across-protocol/contracts/blob/71e990b3f908ecf994be8723e041b584c7d49318/programs/svm-spoke/src/instructions/deposit.rs#L105). Such an operation would fail unless the depositor had delegated at least the input amount to the state PDA. This presents two consequences:

The signer will not be able to deposit for another account, disabling the intended feature of an [account being able to deposit on behalf of someone else](https://github.com/across-protocol/contracts/blob/71e990b3f908ecf994be8723e041b584c7d49318/programs/svm-spoke/src/lib.rs#L210).

If any token account delegates to the state PDA, then it is possible for anyone to call the deposit function, passing the victim's account as the [depositor_token_account](https://github.com/across-protocol/contracts/blob/71e990b3f908ecf994be8723e041b584c7d49318/programs/svm-spoke/src/instructions/deposit.rs#L45) and performing a successful deposit with arbitrary arguments other than the input token and amount. A malicious user could then submit a deposit with their own recipient address to steal depositor funds. This is possible due to the state PDA being passed as the [authority and signer seed](https://github.com/across-protocol/contracts/blob/71e990b3f908ecf994be8723e041b584c7d49318/programs/svm-spoke/src/utils/transfer_utils.rs#L19-L28) to the transfer_checked call, which, when delegated to, will pass [the transfer validation logic](https://docs.rs/spl-token/latest/src/spl_token/processor.rs.html#274). Note that this scenario is mitigated by the fact that native instruction batching in Solana transactions would typically involve delegation and transferring in one operation, making such a front-running scenario less likely but still possible.

Consider validating the signer token account in the same way as depositor_token_account, and performing the transfer from the signer token account.

We replaced the one “state” PDA with two distinct PDAs—one for deposit and one for fill_relay. Now users must explicitly delegate to the correct PDA before anyone can pull their tokens, restoring safe third‑party deposits and eliminating the risk of a single authority being misused to steal funds.

@linear Linear
Copy link

linear bot commented Apr 16, 2025

ACX-4021 M-01 Deposit Tokens Transferred from Depositor Token Account Instead of Signer

md0x added 9 commits April 17, 2025 14:38
@md0x
feat: use unchecked account
a776129 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x
feat: remove system acc
473abaf 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x
fix: deposit tests
46e561e 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x
fix: fill tests
44aaac3 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x
refactor: rename and comments
7aa3d8a 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x
fix: across plus
6d86ec4 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x
Merge branch 'master' into pablo/acx-4021-m-01-deposit-tokens-transfe…
6ff9e4b 
…rred-from-depositor-token-account
@md0x
refactor: rename and organize function
b6eab4b 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x
feat: update deposit delegate seed
b45f24d 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x md0x marked this pull request as ready for review April 17, 2025 18:31
@md0x md0x changed the title fix(svm): M-01 Deposit Tokens Transfers fix(svm): Deposit Tokens Transferred from Depositor Token Account Instead of Signer Apr 18, 2025
@md0x md0x changed the title fix(svm): Deposit Tokens Transferred from Depositor Token Account Instead of Signer fix(svm): M-01 Deposit Tokens Transferred from Depositor Token Account Instead of Signer Apr 18, 2025
Reinis-FRP
Reinis-FRP reviewed Apr 18, 2025
View reviewed changes
md0x added 5 commits April 18, 2025 18:30
@md0x
fix: heap memory error
26f59ca 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x
fix
71cf1ba 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x
refactor: cleanup
3ef6c95 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x
fix: deposit checks
a324daf 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x
fix: fill tests
6671830 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x md0x marked this pull request as draft April 19, 2025 08:41
md0x and others added 4 commits April 20, 2025 11:15
@md0x
fix: fill relay delagate
81b6cf5 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x
fix: fill
6e01b20 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x
refactor: simplify
6a63040 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x
refactor: cleanup
ef08497 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x md0x requested a review from Reinis-FRP April 20, 2025 09:47
md0x added 2 commits April 20, 2025 11:49
@md0x
refactor: comments
9f43af0 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x
fix: scripts
8431833 
Signed-off-by: Pablo Maldonado <[email protected]>
Reinis-FRP
Reinis-FRP reviewed Apr 20, 2025
View reviewed changes
@md0x md0x force-pushed the pablo/acx-4021-m-01-deposit-tokens-transferred-from-depositor-token-account branch from 890b05f to 39711a4 Compare April 21, 2025 16:50
@md0x md0x force-pushed the pablo/acx-4021-m-01-deposit-tokens-transferred-from-depositor-token-account branch from 39711a4 to 5d34e89 Compare April 21, 2025 16:53
@md0x
refactor: simplify
23cafcc 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x md0x force-pushed the pablo/acx-4021-m-01-deposit-tokens-transferred-from-depositor-token-account branch from 410c01a to 23cafcc Compare April 21, 2025 17:02
md0x added 3 commits April 21, 2025 19:31
@md0x
refactor: delegate utils
5c0f8be 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x
refactor: anchor serialize
be4401e 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x
refactor: reuse helper deriveSeedHash
4150839 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x md0x requested a review from Reinis-FRP April 21, 2025 20:29
Reinis-FRP
Reinis-FRP reviewed Apr 22, 2025
View reviewed changes
Reinis-FRP
Reinis-FRP reviewed Apr 22, 2025
View reviewed changes
Reinis-FRP
Reinis-FRP reviewed Apr 22, 2025
View reviewed changes
Reinis-FRP
Reinis-FRP reviewed Apr 22, 2025
View reviewed changes
Reinis-FRP and others added 2 commits April 22, 2025 08:57
@Reinis-FRP
fix: move paused fills check in handler
28bf1e1 
Signed-off-by: Reinis Martinsons <[email protected]>
@md0x
feat: improvements
e475b31 
Signed-off-by: Pablo Maldonado <[email protected]>
@md0x md0x requested a review from Reinis-FRP April 22, 2025 09:27
Reinis-FRP
Reinis-FRP reviewed Apr 22, 2025
View reviewed changes
Reinis-FRP
Reinis-FRP approved these changes Apr 22, 2025
View reviewed changes
Copy link
Contributor

@Reinis-FRP Reinis-FRP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice!

@md0x md0x merged commit d6497e3 into master Apr 23, 2025
9 checks passed
@md0x md0x deleted the pablo/acx-4021-m-01-deposit-tokens-transferred-from-depositor-token-account branch April 23, 2025 13:04
@md0x md0x restored the pablo/acx-4021-m-01-deposit-tokens-transferred-from-depositor-token-account branch April 23, 2025 13:13
@md0x md0x mentioned this pull request Apr 23, 2025
Merged
Reinis-FRP added a commit that referenced this pull request May 9, 2025
@md0x @Reinis-FRP
fix(svm): M-01 Deposit Tokens Transferred from Depositor Token Accoun…
7fdc842 
…t Instead of Signer (#958)

* fix(svm): M-01 Deposit Tokens Transfers

Signed-off-by: Pablo Maldonado <[email protected]>

* feat: use unchecked account

Signed-off-by: Pablo Maldonado <[email protected]>

* feat: remove system acc

Signed-off-by: Pablo Maldonado <[email protected]>

* fix: deposit tests

Signed-off-by: Pablo Maldonado <[email protected]>

* fix: fill tests

Signed-off-by: Pablo Maldonado <[email protected]>

* refactor: rename and comments

Signed-off-by: Pablo Maldonado <[email protected]>

* fix: across plus

Signed-off-by: Pablo Maldonado <[email protected]>

* refactor: rename and organize function

Signed-off-by: Pablo Maldonado <[email protected]>

* feat: update deposit delegate seed

Signed-off-by: Pablo Maldonado <[email protected]>

* feat: use relay_hash from function arguments

Signed-off-by: Pablo Maldonado <[email protected]>

* fix: heap memory error

Signed-off-by: Pablo Maldonado <[email protected]>

* fix

Signed-off-by: Pablo Maldonado <[email protected]>

* refactor: cleanup

Signed-off-by: Pablo Maldonado <[email protected]>

* fix: deposit checks

Signed-off-by: Pablo Maldonado <[email protected]>

* fix: fill tests

Signed-off-by: Pablo Maldonado <[email protected]>

* fix: fill relay delagate

Signed-off-by: Pablo Maldonado <[email protected]>

* fix: fill

Signed-off-by: Pablo Maldonado <[email protected]>

* refactor: simplify

Signed-off-by: Pablo Maldonado <[email protected]>

* refactor: cleanup

Signed-off-by: Pablo Maldonado <[email protected]>

* refactor: clean fill test

Signed-off-by: Pablo Maldonado <[email protected]>

* test: update fill tests

Signed-off-by: Pablo Maldonado <[email protected]>

* refactor: comments

Signed-off-by: Pablo Maldonado <[email protected]>

* fix: scripts

Signed-off-by: Pablo Maldonado <[email protected]>

* refactor: make seed structs private

Signed-off-by: Pablo Maldonado <[email protected]>

* feat: add missing params to deposit hashes

Signed-off-by: Pablo Maldonado <[email protected]>

* refactor: simplify

Signed-off-by: Pablo Maldonado <[email protected]>

* refactor: delegate utils

Signed-off-by: Pablo Maldonado <[email protected]>

* refactor: anchor serialize

Signed-off-by: Pablo Maldonado <[email protected]>

* refactor: reuse helper deriveSeedHash

Signed-off-by: Pablo Maldonado <[email protected]>

* fix: move paused fills check in handler

Signed-off-by: Reinis Martinsons <[email protected]>

* feat: improvements

Signed-off-by: Pablo Maldonado <[email protected]>

* fix: remove program_id from transfer_from params

Signed-off-by: Reinis Martinsons <[email protected]>

---------

Signed-off-by: Pablo Maldonado <[email protected]>
Signed-off-by: Pablo Maldonado <[email protected]>
Signed-off-by: Reinis Martinsons <[email protected]>
Co-authored-by: Reinis Martinsons <[email protected]>
Signed-off-by: Reinis Martinsons <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrice32 mrice32 mrice32 approved these changes

@Reinis-FRP Reinis-FRP Reinis-FRP approved these changes

@nicholaspai nicholaspai Awaiting requested review from nicholaspai nicholaspai is a code owner

@chrismaree chrismaree Awaiting requested review from chrismaree chrismaree is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@md0x @mrice32 @Reinis-FRP