Anchor Constraint Bypass
Overview
The Anchor constraint bypass detector identifies Anchor programs where account validation constraints (#[account(mut)], #[account(signer)], #[account(has_one)], #[account(constraint)]) are missing or insufficient. While Anchor automates many safety checks, developers must still declare the correct constraints for each account. A missing has_one constraint on an authority field allows any signer to modify protected state. A missing mut constraint means writes silently fail.
Why This Is an Issue
Anchor programs that omit critical constraints are as vulnerable as native programs without manual checks. The an Anchor-style framework cannot infer business logic requirements — it only enforces what the developer declares. Common gaps include: missing has_one = authority on admin operations, missing constraint = amount > 0 on transfers, and missing seeds validation on PDA accounts.
How to Resolve
// Before: Vulnerable — missing authority constraint
#[derive(Accounts)]
pub struct UpdateConfig<'info> {
#[account(mut)]
pub config: Account<'info, Config>,
pub authority: Signer<'info>, // No has_one — any signer works
}
// After: Fixed — authority must match config's stored authority
#[derive(Accounts)]
pub struct UpdateConfig<'info> {
#[account(mut, has_one = authority)]
pub config: Account<'info, Config>,
pub authority: Signer<'info>,
}
Detection Methodology
- Anchor discriminator detection: Identifies programs using Anchor’s 8-byte discriminator pattern to confirm framework usage.
- Constraint enumeration: Extracts validation checks from the program’s instruction handlers.
- Gap identification: Flags accounts used in privileged operations (writes, transfers) without corresponding authority or ownership constraints.
- Missing signer detection: Identifies accounts that need to be signers based on their role but lack the signer constraint.
Limitations
False positives: Programs that implement custom validation logic outside Anchor constraints may be flagged. False negatives: Constraints validated in custom instruction logic rather than Anchor attribute macros may not be detected at the bytecode level.
Related Detectors
- Missing Signer Check — detects missing signer validation
- Missing Owner Check — detects missing owner validation
- Account Type Confusion — detects account type mismatches