-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathclaim_vulnerable.rs
More file actions
54 lines (46 loc) · 1.62 KB
/
Copy pathclaim_vulnerable.rs
File metadata and controls
54 lines (46 loc) · 1.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
use anchor_lang::prelude::*;
use crate::state::{RewardConfig, UserReward};
/// Claim rewards - creates user's reward account
///
/// ⚠️ VULNERABLE: Uses `init` constraint for user_reward account.
/// If the account already exists, this instruction will FAIL.
///
/// Attack scenario:
/// 1. User calls claim_vulnerable()
/// 2. Attacker sees pending transaction in mempool
/// 3. Attacker front-runs by creating user's reward account first
/// 4. User's transaction fails because account already exists
/// 5. User is blocked from claiming rewards!
#[derive(Accounts)]
pub struct ClaimVulnerable<'info> {
#[account(
seeds = [b"config"],
bump = config.bump
)]
pub config: Account<'info, RewardConfig>,
/// ⚠️ VULNERABLE: Using `init` means this FAILS if account exists!
/// An attacker can create this account before the user, blocking them.
#[account(
init,
payer = user,
space = UserReward::LEN,
seeds = [b"user_reward", config.key().as_ref(), user.key().as_ref()],
bump
)]
pub user_reward: Account<'info, UserReward>,
#[account(mut)]
pub user: Signer<'info>,
pub system_program: Program<'info, System>,
}
pub fn handler(ctx: Context<ClaimVulnerable>) -> Result<()> {
let user_reward = &mut ctx.accounts.user_reward;
user_reward.user = ctx.accounts.user.key();
user_reward.config = ctx.accounts.config.key();
user_reward.claimed = true;
user_reward.bump = ctx.bumps.user_reward;
msg!(
"VULNERABLE: Claimed {} tokens via newly created account",
ctx.accounts.config.reward_amount
);
Ok(())
}