Submission Details
Severity:
Unsafe Lamport Manipulation Risks Account Corruption
Summary
Direct lamport adjustments in refund and withdraw bypass Anchor’s safety checks, risking rent exhaustion and account closure.
Vulnerability Details
Manually modifying lamports via try_borrow_mut_lamports() can inadvertently reduce an account’s balance below the rent-exempt threshold, causing Solana runtime to close the account and lose data.
Impact
Fund or contributor accounts may be closed unexpectedly, leading to permanent data loss and failed transactions.
Tools Used
Recommendations
Use CPI to the system program for secure transfers:
system_program::transfer(
CpiContext::new(
ctx.accounts.system_program.to_account_info(),
system_program::Transfer {
from: fund.to_account_info(),
to: creator.to_account_info(),
},
),
amount,
)?;
Updates
Appeal created
bube 3 months ago
Submission Judgement Published Assigned finding tags:
Unsafe direct lamport manipulation
Rewards breakdown
nSLOC
170This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.