Input Validation
Detects missing validation of user-controlled inputs including instruction parameters, account data fields, and system call results in Solana programs.
Input Validation
Overview
Remediation Guide: How to Fix Input Validation
The input validation detector identifies Solana program functions that use instruction data, account data fields, or system call results in security-critical operations without validating the values. In Solana, instruction data is an arbitrary byte array parsed by the program — if the program uses a value from instruction data (such as an amount, index, or authority pubkey) without bounds checking, an attacker can supply extreme values to trigger overflows, bypass limits, or access unauthorized resources.
Why This Is an Issue
Solana programs receive instruction data as raw bytes. The program is responsible for deserializing and validating every field. Missing validation on amount parameters enables draining more tokens than deposited. Missing bounds on array indices causes panics (which halt the program). Missing validation on pubkey parameters enables authority substitution.
How to Resolve
// Before: Vulnerable — no validation on amount
pub fn withdraw(accounts: &[AccountInfo], amount: u64) -> ProgramResult {
let vault = &accounts[0];
let user = &accounts[1];
// No check that amount <= vault balance
**vault.lamports.borrow_mut() -= amount;
**user.lamports.borrow_mut() += amount;
Ok(())
}
// After: Fixed — validate amount
pub fn withdraw(accounts: &[AccountInfo], amount: u64) -> ProgramResult {
let vault = &accounts[0];
let user = &accounts[1];
let vault_balance = vault.lamports();
if amount > vault_balance {
return Err(ProgramError::InsufficientFunds);
}
**vault.lamports.borrow_mut() -= amount;
**user.lamports.borrow_mut() += amount;
Ok(())
}Detection Methodology
- Instruction data tracing: Tracks values deserialized from instruction data through the program’s data-flow graph.
- Critical operation identification: Identifies where instruction data values are used — in lamport operations, account data writes, CPI arguments, or comparison operands.
- Validation check detection: Searches for bounds checks, range comparisons, or equality checks on the traced values before their use in critical operations.
- Confidence scoring: Values used directly in lamport arithmetic without validation receive highest confidence. Values used in comparisons or branching receive lower confidence.
Limitations
False positives: Programs that validate instruction data in a separate parsing function (not inlined by the compiler) may be flagged. False negatives: Validations performed through Anchor’s constraint system may not be visible at the bytecode level.
Related Detectors
- Missing Signer Check — detects missing signer validation
- Arbitrary CPI — detects unvalidated CPI targets