SVM high Detector April 6, 2026 2 min read

Multi-Hop CPI

Detects dangerous multi-hop cross-program invocation chains.

svmhighmulti-hop-cpiaccess-controlstatic-analysisdetector

Multi-Hop CPI

Overview

The multi-hop CPI detector identifies dangerous cross-program invocation chains that could lead to privilege escalation or circular dependencies. Multiple sequential CPI calls increase the attack surface and risk exceeding the CPI depth limit.

For remediation guidance, see Multi-Hop CPI Remediation.

Why This Is an Issue

Multi-hop CPI chains (A calls B calls C) compound trust assumptions — each hop can modify account state, and the caller has less visibility into what the final program does. Circular CPI dependencies can create unexpected re-entrancy. Deep call stacks also risk exceeding Solana’s 4-level CPI depth limit.

How to Resolve

Before (Vulnerable)

// Vulnerable: sequential CPI calls creating a deep chain
pub fn process(ctx: Context<Process>) -> Result<()> {
    invoke_program_a(ctx.accounts)?;  // A may call B, B may call C
    invoke_program_b(ctx.accounts)?;  // Unclear total depth
    Ok(())
}

After (Fixed)

// Fixed: validate each CPI target and minimize chain depth
pub fn process(ctx: Context<Process>) -> Result<()> {
    require!(
        ctx.accounts.program_a.key() == EXPECTED_PROGRAM_A,
        ErrorCode::InvalidProgram
    );
    invoke_program_a(ctx.accounts)?;
    // Re-validate state after each CPI
    ctx.accounts.shared_state.reload()?;
    validate_invariants(&ctx.accounts.shared_state)?;
    Ok(())
}

Example JSON Finding

{
  "detector": "multi-hop-cpi",
  "severity": "high",
  "confidence": 0.65,
  "message": "Multiple sequential CPI calls without intermediate state validation",
  "location": { "function": "process", "block": 0, "statement": 3 }
}

Detection Methodology

CPI chain detection: Identifies multiple CPI calls within the same function.
Circular dependency search: Checks for potential CPI cycles through program ID analysis.
Depth estimation: Estimates maximum CPI depth from call patterns.
Inter-CPI validation: Flags missing state re-validation between sequential CPI calls.

Limitations

False positives: Sequential CPI calls to well-audited programs with shallow depth. False negatives: CPI chains through dynamically-resolved program IDs.

Stack Depth Violation — CPI depth limit violations
Cross-Program State — state inconsistencies across CPI

Multi-Hop CPI

Overview

Why This Is an Issue

How to Resolve

Before (Vulnerable)

After (Fixed)

Example JSON Finding

Detection Methodology

Limitations

Related Detectors

References