SSSwap
First Flight #41
Beginner FriendlyRust
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: high
Invalid

Missing Validation on Pool Creator in `InitializePool` Instruction

abduo_ov

Description

The InitializePool instruction accepts a creator account marked as a signer, but it does not verify whether the creator is an authorized admin or a valid participant. There is no access control or whitelist mechanism restricting who can create new liquidity pools.

Infected Code

#[derive(Accounts)]
#[instruction(id: u64)]
pub struct InitializePool<'info> {
#[account(mut)]
pub creator: Signer<'info>,
// other accounts ...
}

Impact

Without validation on the creator, anyone can create liquidity pools arbitrarily. This can lead to:

  • Creation of pools with manipulated token ratios or parameters designed to deceive users or create unfair trading conditions.

  • Potential manipulation or fragmentation of liquidity across many pools, undermining the protocol’s integrity and governance mechanisms.

Recommendation

Implement access control to restrict pool creation to authorized users. One approach is to maintain an on-chain list (e.g., a PDA account) of approved creators and verify against it in the instruction.

Fixed Code Example

#[derive(Accounts)]
#[instruction(id: u64)]
pub struct InitializePool<'info> {
#[account(mut)]
pub creator: Signer<'info>,
#[account(
seeds = [b"admin_list"],
bump,
has_one = creator,
)]
pub admin_list: Account<'info, AdminList>,
// other accounts ...
}
// AdminList state holds authorized creators
#[account]
pub struct AdminList {
pub authorized_creators: Vec<Pubkey>,
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 5 days ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.