fix: identity signer leak

troykessler · troykessler · commit b2793831c61c · 2026-04-10T11:24:15.000+02:00
diff --git a/rust/main/chains/hyperlane-sealevel/src/mailbox.rs b/rust/main/chains/hyperlane-sealevel/src/mailbox.rs
@@ -342,14 +342,11 @@ impl SealevelMailbox {
         let account_metas = self.get_account_metas(instruction).await?;
 
         // Ensure dynamically provided account metas are safe to prevent theft from the payer.
-        // The identity signer (if configured and distinct from payer) is allowed through as a
-        // trusted co-signer (e.g. required by TrustedRelayer ISMs).
-        let identity = self.get_signer_if_separate().map(|s| s.pubkey());
-        sanitize_dynamic_accounts(
-            account_metas,
-            &self.get_payer()?.pubkey(),
-            identity.as_ref(),
-        )
+        // Identity is NOT passed here: neither the ISM-getter nor handle paths should trust
+        // an external program to request the relayer's identity as a signer. Only the ISM
+        // verify fixpoint loop (get_ism_verify_account_metas) passes identity, after it has
+        // already converged on a stable account set from a known ISM program.
+        sanitize_dynamic_accounts(account_metas, &self.get_payer()?.pubkey(), None)
     }
 
     async fn get_process_payload(
diff --git a/rust/main/chains/hyperlane-sealevel/src/utils.rs b/rust/main/chains/hyperlane-sealevel/src/utils.rs
@@ -129,4 +129,28 @@ mod test {
         assert!(!result[0].is_signer);
         assert!(result[1].is_signer);
     }
+
+    /// Regression test: ISM-getter and handle paths pass `None` as identity, so a malicious
+    /// recipient program cannot trick the relayer into co-signing with its identity keypair
+    /// by returning it with `is_signer: true` in the account metas simulation.
+    #[test]
+    fn test_sanitize_dynamic_accounts_strips_identity_signer_when_none() {
+        use solana_sdk::instruction::AccountMeta;
+
+        let payer = Pubkey::new_unique();
+        let identity = Pubkey::new_unique();
+
+        // Simulate a malicious recipient returning the relayer's identity as a signer.
+        let account_metas = vec![
+            AccountMeta::new_readonly([0u8; 32].into(), false),
+            AccountMeta::new_readonly(identity, true),
+        ];
+
+        // `None` identity — as used by get_non_signer_account_metas_with_instruction_bytes.
+        let result = sanitize_dynamic_accounts(account_metas, &payer, None).unwrap();
+
+        // Both accounts must have is_signer stripped, including the identity key.
+        assert!(!result[0].is_signer);
+        assert!(!result[1].is_signer);
+    }
 }
