Cross-Program Reinit
Detects accounts used after CPI without re-validating initialization state.
Cross-Program Reinit
Overview
The cross-program reinit detector identifies accounts that may be re-initialized by an attacker through a cross-program sequence within the same transaction. An attacker calls Program A which reads account state, then Program B closes the account, then re-initializes it with malicious data, and Program A trusts the corrupted state.
For remediation guidance, see Cross-Program Reinit Remediation.
Why This Is an Issue
In a single Solana transaction, multiple instructions execute sequentially. An attacker can craft a transaction where instruction 1 causes Program A to cache account state, instruction 2 closes and re-initializes the account via Program B, and instruction 3 calls Program A again which uses the cached-but-now-corrupted state.
How to Resolve
Before (Vulnerable)
// Vulnerable: reads state without checking if re-initialized
let data = account.data.borrow();
let state = MyState::deserialize(&mut &data[..])?;
// CPI that could close and reinit this account
invoke(&external_ix, accounts)?;
// state is now potentially from a re-initialized account
process(state)?;After (Fixed)
invoke(&external_ix, accounts)?;
// Re-read and re-validate after CPI
let data = account.data.borrow();
require!(data[0] == EXPECTED_DISCRIMINATOR, Reinitialized);
let state = MyState::deserialize(&mut &data[1..])?;
require!(state.version == expected_version, StateCorrupted);
process(state)?;Example JSON Finding
{
"detector": "cross-program-reinit",
"severity": "high",
"confidence": 0.7,
"message": "Account data used after CPI without re-validating initialization state",
"location": { "function": "process", "block": 2, "statement": 1 }
}Detection Methodology
- State read tracking: Identifies account data reads.
- CPI identification: Locates CPI calls that could modify or close accounts.
- Post-CPI usage detection: Flags account data usage after CPI without re-validation.
- Close-access pattern: Detects account close operations followed by data access.
Limitations
False positives: CPI calls to trusted programs that cannot close the account. False negatives: Re-initialization through multiple intermediary programs.
Related Detectors
- Cross-Program State — state inconsistencies
- Account Reinitialization — reinitialization attacks