From 92de2a9044a05e3f297a7604642eaca7e04ef3af Mon Sep 17 00:00:00 2001 From: Jo D Date: Fri, 20 Feb 2026 12:54:20 -0500 Subject: [PATCH] fix(security): validate extensions PDA in deposit processor The deposit instruction reads hook configuration from the extensions account but did not validate that it is the correct PDA. An attacker could pass any empty account as extensions, causing hooks to be silently skipped. Add the same validate_extensions_pda() call that the withdraw processor already uses. Ref: GHSA-735q-4mm8-3j4w --- program/src/instructions/deposit/processor.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/program/src/instructions/deposit/processor.rs b/program/src/instructions/deposit/processor.rs index 8550774..850f3b3 100644 --- a/program/src/instructions/deposit/processor.rs +++ b/program/src/instructions/deposit/processor.rs @@ -13,7 +13,8 @@ use crate::{ events::DepositEvent, instructions::Deposit, state::{ - get_extensions_from_account, AllowedMint, AllowedMintPda, Escrow, ExtensionType, HookData, HookPoint, Receipt, + get_extensions_from_account, validate_extensions_pda, AllowedMint, AllowedMintPda, Escrow, ExtensionType, + HookData, HookPoint, Receipt, }, traits::{AccountSerialize, AccountSize, EventSerialize, ExtensionData, PdaSeeds}, utils::{create_pda_account, emit_event, get_mint_decimals}, @@ -70,6 +71,9 @@ pub fn process_deposit(program_id: &Address, accounts: &[AccountView], instructi receipt.write_to_slice(&mut receipt_data_slice)?; drop(receipt_data_slice); + // Validate extensions PDA + validate_extensions_pda(ix.accounts.escrow, ix.accounts.extensions, program_id)?; + // Get hook extension if present let exts = get_extensions_from_account(ix.accounts.extensions, &[ExtensionType::Hook])?; let hook_data = exts[0].as_ref().map(|b| HookData::from_bytes(b)).transpose()?;