fix(security): validate extensions PDA in deposit processor#21
Merged
fix(security): validate extensions PDA in deposit processor#21
Conversation
The deposit instruction reads hook configuration from the extensions account but did not validate that it is the correct PDA. An attacker could pass any empty account as extensions, causing hooks to be silently skipped. Add the same validate_extensions_pda() call that the withdraw processor already uses. Ref: GHSA-735q-4mm8-3j4w
dev-jodee
force-pushed
the
fix/deposit-extensions-pda-validation
branch
from
c51050b to
92de2a9
Compare
amilz
approved these changes
Feb 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
validate_extensions_pda()call to the deposit processor before reading hook extensions, matching the existing validation in the withdraw processorextensionsparameter to silently bypass all configured pre- and post-deposit hooksDetails
The deposit instruction reads hook configuration from the extensions account but did not validate that it is the correct PDA (
[b"extensions", escrow_key]). An attacker could pass any zero-length account (e.g., system program) asextensions, causingget_extensions_from_accountto return no hooks and silently skip all pre/post-deposit hook invocations.The withdraw processor already validates this at
withdraw/processor.rs:39. All extension-writing instructions (SetHook,SetArbiter,AddTimelock,BlockTokenExtension) andAllowMintalso validate the extensions PDA. OnlyDepositwas missing this check.Ref: GHSA-735q-4mm8-3j4w
Test plan
just buildsucceedsjust integration-test— all 178 tests pass