Skip to main content
Sigvex

Anchor Upgrade Security Remediation

How to fix unsafe an account-validation framework program upgrade patterns.

Anchor Upgrade Security Remediation

Overview

Related Detector: Anchor Upgrade Security

Unprotected upgrade authority is the highest-severity risk for upgradeable programs. The fix is to use multi-sig governance, implement mandatory timelocks, and consider making programs immutable once stable.

Before (Vulnerable)

// Single keypair can upgrade at any time
invoke(&bpf_loader_upgradeable::upgrade(...), accounts)?;

After (Fixed)

// Require multi-sig + timelock
require!(multisig.threshold_met(), InsufficientSignatures);
require!(clock.unix_timestamp >= proposal_time + TIMELOCK, TimelockPending);
invoke(&bpf_loader_upgradeable::upgrade(...), accounts)?;

Alternative Mitigations

Use Squads Protocol

Transfer upgrade authority to a Squads multi-sig for decentralized governance:

solana program set-upgrade-authority <PROGRAM_ID> --new-upgrade-authority <SQUADS_VAULT>

Make Immutable

For production programs that should never change:

solana program set-upgrade-authority <PROGRAM_ID> --final

Common Mistakes

Mistake: Short Timelock

const TIMELOCK: i64 = 3600; // 1 hour -- too short for community review

Use timelocks of at least 24-48 hours to allow community review of proposed upgrades.

References