Skip to main content
Sigvex

Native Program Authority Remediation

How to fix missing authority validation for native program CPIs.

Native Program Authority Remediation

Overview

Related Detector: Native Program Authority

Missing authority validation on native CPIs allows unauthorized operations. The fix is to validate the correct authority (payer, owner, mint authority) for each native program operation before making the CPI call.

// Validate authority before each native program CPI
require!(authority.is_signer, MissingSignature);
require!(authority.key() == expected_authority, InvalidAuthority);
invoke(&system_instruction::transfer(authority.key, dest.key, amount), accounts)?;

Common Mistakes

Mistake: Only Checking Signer, Not Identity

// WRONG: any signer passes this check
require!(payer.is_signer, MissingSignature);
// Should also verify: require!(payer.key() == expected_payer)

Always verify both that the account is a signer and that it is the expected authority.

References