SVM high Detector April 6, 2026 2 min read

Native Program Authority

Detects missing authority validation when invoking Solana native programs.

svmhighnative-program-authorityaccess-controlstatic-analysisdetector

Native Program Authority

Overview

The native program authority detector identifies missing authority validation when invoking Solana’s native programs (System, Token, Associated Token, Token-2022, Rent). Programs that assume native program CPIs are safe without validating required authorities allow attackers to manipulate operations by providing incorrect payer, owner, or mint authority accounts.

For remediation guidance, see Native Program Authority Remediation.

Why This Is an Issue

Each native program operation requires specific authorities: CreateAccount needs a payer, Token Transfer needs an owner, MintTo needs a mint authority. If these authorities are not validated before the CPI, an attacker can substitute their own accounts, redirecting funds or creating unauthorized tokens.

How to Resolve

Before (Vulnerable)

// Vulnerable: payer not validated
invoke(
    &system_instruction::create_account(
        payer.key, new_account.key, lamports, space, program_id
    ),
    &[payer.clone(), new_account.clone()],
)?;

After (Fixed)

// Fixed: validate payer is the expected authority
require!(payer.is_signer, MissingSignature);
require!(payer.key() == expected_payer, InvalidPayer);
invoke(
    &system_instruction::create_account(
        payer.key, new_account.key, lamports, space, program_id
    ),
    &[payer.clone(), new_account.clone()],
)?;

Example JSON Finding

{
  "detector": "native-program-authority",
  "severity": "high",
  "confidence": 0.65,
  "message": "Native program CPI without required authority validation",
  "location": { "function": "create", "block": 0, "statement": 2 }
}

Detection Methodology

Native program CPI detection: Identifies CPI calls to System, Token, ATA, and Token-2022 programs.
Operation classification: Determines which operation is being invoked (CreateAccount, Transfer, etc.).
Authority validation search: Checks for signer and key validation on required authority accounts.

Limitations

False positives: Programs where authority is validated through Anchor constraints. False negatives: Custom wrappers around native program calls.

Missing Signer Check — general signer validation
SPL Token Compliance — token program compliance

Native Program Authority

Overview

Why This Is an Issue

How to Resolve

Before (Vulnerable)

After (Fixed)

Example JSON Finding

Detection Methodology

Limitations

Related Detectors

References