Compute Budget Injection Remediation

Overview

Related Detector: Compute Budget Injection

Hardcoded compute budgets can be manipulated by transaction-level instructions. The fix is to use sol_remaining_compute_units() for runtime budget awareness instead of hardcoded constants.

Recommended Fix

use solana_program::compute_units::sol_remaining_compute_units;

let remaining = sol_remaining_compute_units();
let max_iterations = remaining / COST_PER_ITEM;
require!(max_iterations > 0, ErrorCode::InsufficientCompute);

Common Mistakes

Mistake: Hardcoding Budget Constants

// WRONG: attacker can change the actual budget
if iterations * cost > 200_000 { return Err(TooExpensive); }

Query the runtime for actual remaining compute units.

References

• Solana — Compute Budget
• CWE-400: Uncontrolled Resource Consumption