SVM Remediation April 6, 2026 1 min read

Anchor Constraint TOCTOU Remediation

How to fix TOCTOU race conditions in Anchor constraints.

svmaccess-control

Anchor Constraint TOCTOU Remediation

Overview

Related Detector: Anchor Constraint TOCTOU

TOCTOU races occur when account state is checked before a CPI that modifies it. The fix is to reload account data after CPI calls and re-validate, or restructure the instruction to perform CPI before state-dependent checks.

Recommended Fix

Before (Vulnerable)

let balance = ctx.accounts.token.amount;
require!(balance >= MIN, Insufficient);
token::transfer(ctx, balance)?;  // Modifies token.amount

After (Fixed)

let amount = ctx.accounts.token.amount;
token::transfer(ctx, amount)?;
ctx.accounts.token.reload()?;  // Refresh from on-chain state
require!(ctx.accounts.token.amount == 0, Incomplete);

Alternative Mitigations

Use Anchor reload()

Always call reload() on accounts after any CPI that could modify them:

invoke(&external_ix, accounts)?;
ctx.accounts.my_account.reload()?;
// Now safe to read my_account data

Common Mistakes

Mistake: Using Cached Variable After CPI

let data = ctx.accounts.state.value;
invoke(&modify_ix, accounts)?;
// WRONG: data is stale, state.value may have changed
if data > threshold { /* ... */ }

Always re-read from the account after CPI, never trust cached variables.

References

Anchor — Account Constraints
CWE-367: Time-of-check Time-of-use

SVM Detector

Anchor Constraint TOCTOU

Detects Time-of-Check-Time-of-Use vulnerabilities in Anchor constraint validation.

Back to Knowledge Base

Use the Sign In button in the navigation bar.

Sigvex

Advanced bytecode decompilation and security analysis across multiple runtimes. Detect vulnerabilities, exploits, and reverse-engineer smart contracts directly on-chain.

Product

Features
How It Works
Pricing

Resources

Knowledge Base
Research
Blog

Company

About
Contact
Security

Legal

Terms of Service
Privacy Policy
Cookie Policy
Acceptable Use

Built for developers, by developers.