Cross-Contract Consistency
Detects cross-account state consistency issues.
Cross-Contract Consistency
Overview
The cross-contract consistency detector identifies atomicity issues in multi-account operations that can lead to inconsistent state across related accounts. When multiple accounts are updated in sequence, an error during the process can leave some accounts updated and others not, creating exploitable inconsistencies.
For remediation guidance, see Cross-Contract Consistency Remediation.
Why This Is an Issue
Programs that update multiple related accounts (e.g., debit account A, credit account B, update record C) must ensure all updates succeed or none do. If an error occurs after updating account A but before updating B, the state becomes inconsistent. While Solana transactions are atomic at the transaction level, individual instruction handlers can create partial updates that are observable by later instructions.
How to Resolve
Before (Vulnerable)
// Vulnerable: partial update on error
account_a.balance -= amount;
account_a.serialize(&mut *data_a)?;
// If this fails, account_a is already modified
account_b.balance += amount;
account_b.serialize(&mut *data_b)?;After (Fixed)
// Fixed: validate all operations before committing
require!(account_a.balance >= amount, Insufficient);
require!(account_b.balance.checked_add(amount).is_some(), Overflow);
// All validations passed -- now commit
account_a.balance -= amount;
account_b.balance += amount;
account_a.serialize(&mut *data_a)?;
account_b.serialize(&mut *data_b)?;Example JSON Finding
{
"detector": "cross-contract-consistency",
"severity": "medium",
"confidence": 0.6,
"message": "Multiple account updates without rollback logic -- partial update risk",
"location": { "function": "transfer", "block": 0, "statement": 3 }
}Detection Methodology
- Multi-account write detection: Identifies instructions that write to multiple accounts.
- Error handling analysis: Checks for error handling between sequential account writes.
- Rollback logic detection: Looks for compensation logic that reverses earlier writes on failure.
Limitations
False positives: Programs where all writes are guaranteed to succeed after validation. False negatives: Consistency issues across multiple instructions rather than within one.
Related Detectors
- Cross-Program State — CPI state inconsistencies
- Cross-Instruction State Desync — instruction ordering issues