CpiAccount owners aren't validated
armaniferrante opened this issue · 1 comments
armaniferrante commented
It's not strictly necessary depending on what you're doing, but it's usually best practice to validate the AccountInfo's "owner" is the expected program id. For example this line https://github.com/Synthetify/synthetify-protocol/blob/master/programs/exchange/src/lib.rs#L2138 can be rewritten:
#[account(constraint = asset_address.to_account_info().owner == &anchor_spl::token::ID)]
pub asset_address: CpiAccount<'info, anchor_spl::token::Mint>,NorbertBodziony commented
Checks added in #81.