Anchor Constraint Bypass
Detects missing or incomplete Anchor account constraint validation that could allow unauthorized account substitution.
Anchor Constraint Bypass
Overview
The Anchor constraint bypass detector identifies Anchor programs where account validation constraints (#[account(mut)], #[account(signer)], #[account(has_one)], #[account(constraint)]) are missing or insufficient. While Anchor automates many safety checks, developers must still declare the correct constraints for each account. A missing has_one constraint on an authority field allows any signer to modify protected state. A missing mut constraint means writes silently fail.
Why This Is an Issue
Anchor programs that omit critical constraints are as vulnerable as native programs without manual checks. The Anchor framework cannot infer business logic requirements — it only enforces what the developer declares. Common gaps include: missing has_one = authority on admin operations, missing constraint = amount > 0 on transfers, and missing seeds validation on PDA accounts.
How to Resolve
// Before: Vulnerable — missing authority constraint
#[derive(Accounts)]
pub struct UpdateConfig<'info> {
#[account(mut)]
pub config: Account<'info, Config>,
pub authority: Signer<'info>, // No has_one — any signer works
}
// After: Fixed — authority must match config's stored authority
#[derive(Accounts)]
pub struct UpdateConfig<'info> {
#[account(mut, has_one = authority)]
pub config: Account<'info, Config>,
pub authority: Signer<'info>,
}Detection Methodology
- Anchor discriminator detection: Identifies programs using Anchor’s 8-byte discriminator pattern to confirm framework usage.
- Constraint enumeration: Extracts validation checks from the program’s instruction handlers.
- Gap identification: Flags accounts used in privileged operations (writes, transfers) without corresponding authority or ownership constraints.
- Missing signer detection: Identifies accounts that need to be signers based on their role but lack the signer constraint.
Limitations
False positives: Programs that implement custom validation logic outside Anchor constraints may be flagged. False negatives: Constraints validated in custom instruction logic rather than Anchor attribute macros may not be detected at the bytecode level.
Related Detectors
- Missing Signer Check — detects missing signer validation
- Missing Owner Check — detects missing owner validation
- Account Type Confusion — detects account type mismatches