SVM medium Detector April 6, 2026 2 min read

Sysvar Cache Staleness

Detects stale sysvar data usage across blocks beyond Clock.

svmmediumsysvar-cache-stalenessaccess-controlstatic-analysisdetector

Sysvar Cache Staleness

Overview

The sysvar cache staleness detector identifies when sysvar data (SlotHashes, EpochSchedule, Rent, RecentBlockhashes) is read once and stored in a variable, then reused across multiple blocks without re-reading. Sysvar values can change between transaction composition and execution, and cached values used in validation logic can be exploited.

For remediation guidance, see Sysvar Cache Staleness Remediation.

Why This Is an Issue

Sysvar values reflect blockchain state that changes over time. If a program reads a sysvar value early in execution and uses it for validation later (potentially after CPI calls that consume time), the cached value may no longer reflect current state. An attacker can time transactions to exploit the gap between the cached read and actual sysvar state.

How to Resolve

Before (Vulnerable)

// Vulnerable: sysvar read cached and used much later
let rent = Rent::get()?;
let min_balance = rent.minimum_balance(data_len);
// ... many operations and CPI calls ...
// Using min_balance computed from possibly stale rent values
require!(account.lamports() >= min_balance, Insufficient);

After (Fixed)

// Fixed: re-read sysvar close to point of use
// ... operations ...
let rent = Rent::get()?;  // Fresh read
let min_balance = rent.minimum_balance(data_len);
require!(account.lamports() >= min_balance, Insufficient);

Example JSON Finding

{
  "detector": "sysvar-cache-staleness",
  "severity": "medium",
  "confidence": 0.55,
  "message": "Sysvar data read in block 0 used in block 5 without re-reading",
  "location": { "function": "process", "block": 5, "statement": 2 }
}

Detection Methodology

Sysvar read identification: Detects reads from sysvar accounts (Rent, Clock, SlotHashes, etc.).
Variable tracking: Tracks which variables hold sysvar-derived values and where they are defined.
Cross-block usage detection: Flags sysvar-derived values used in different blocks from where they were read.

Limitations

False positives: Sysvars like Rent rarely change within a transaction. False negatives: Complex data flow through multiple variables.

Clock Account Spoofing — clock sysvar spoofing
Sysvar Account Spoofing — general sysvar spoofing

Sysvar Cache Staleness

Overview

Why This Is an Issue

How to Resolve

Before (Vulnerable)

After (Fixed)

Example JSON Finding

Detection Methodology

Limitations

Related Detectors

References