Native Program Authority Remediation
How to fix missing authority validation for native program CPIs.
Native Program Authority Remediation
Overview
Related Detector: Native Program Authority
Missing authority validation on native CPIs allows unauthorized operations. The fix is to validate the correct authority (payer, owner, mint authority) for each native program operation before making the CPI call.
Recommended Fix
// Validate authority before each native program CPI
require!(authority.is_signer, MissingSignature);
require!(authority.key() == expected_authority, InvalidAuthority);
invoke(&system_instruction::transfer(authority.key, dest.key, amount), accounts)?;Common Mistakes
Mistake: Only Checking Signer, Not Identity
// WRONG: any signer passes this check
require!(payer.is_signer, MissingSignature);
// Should also verify: require!(payer.key() == expected_payer)Always verify both that the account is a signer and that it is the expected authority.