Account Size Violation
Detects account data size violations in Solana programs.
Account Size Violation
Overview
The account size violation detector identifies operations that could exceed Solana’s maximum account data size (10 MB) or cause data truncation when writing to accounts with insufficient allocated space. It checks for dynamic data writes without size validation and reallocation patterns that could fail.
For remediation guidance, see Account Size Violation Remediation.
Why This Is an Issue
Solana accounts have a fixed data length set at creation. Writing data beyond the allocated size causes a runtime error that aborts the transaction. If a program stores variable-length data (vectors, strings) without validating that the serialized size fits the account, an attacker can provide input that exceeds the allocation, causing transaction failure. Additionally, the 10 MB maximum account size means programs must plan data growth carefully.
How to Resolve
Before (Vulnerable)
// Vulnerable: stores variable-length data without size check
pub fn update_metadata(
ctx: Context<Update>,
name: String,
uri: String,
) -> Result<()> {
let metadata = &mut ctx.accounts.metadata;
metadata.name = name; // Could exceed allocated space
metadata.uri = uri;
Ok(())
}After (Fixed)
const MAX_NAME_LEN: usize = 32;
const MAX_URI_LEN: usize = 200;
pub fn update_metadata(
ctx: Context<Update>,
name: String,
uri: String,
) -> Result<()> {
require!(name.len() <= MAX_NAME_LEN, ErrorCode::NameTooLong);
require!(uri.len() <= MAX_URI_LEN, ErrorCode::UriTooLong);
let metadata = &mut ctx.accounts.metadata;
metadata.name = name;
metadata.uri = uri;
Ok(())
}Example JSON Finding
{
"detector": "account-size-violation",
"severity": "medium",
"confidence": 0.6,
"message": "Variable-length data stored without size validation against account allocation",
"location": { "function": "update_metadata", "block": 0, "statement": 2 }
}Detection Methodology
- Account write detection: Identifies store operations to account data.
- Size validation search: Checks for length comparisons before data writes.
- Dynamic data tracking: Flags storage of variable-length types (Vec, String) without bounds.
- Reallocation analysis: Verifies realloc operations validate new size against limits.
Limitations
False positives: Programs that store fixed-size data types will not exceed bounds, but the detector may not distinguish fixed from variable at the bytecode level. False negatives: Size calculations done in external helper functions may not be visible.
Related Detectors
- Anchor Space Allocation — incorrect Anchor space calculations
- Rent Exemption Violation — rent requirements for account size