Anchor Framework System Program ID Validation Vulnerability Allowing Arbitrary CPI

A logic error in the Anchor framework for Solana programs, affecting versions 1.0.0 prior to 1.0.2, allows programs to accept any program ID when the system program ID is required. This flaw can lead to false assumptions and potential arbitrary cross-program invocations (CPI) in programs that use system program instructions. The issue arises because the default behavior of the program ID validation can be manipulated, allowing any executable account to be passed in instead of the intended system program. As a result, programs may inadvertently invoke instructions from unauthorized programs, bypassing expected payment processes and potentially exploiting other functionalities.

Impact

Exploitation of this vulnerability bypasses proper validation of program IDs, particularly for the system program. This can lead to unauthorized cross-program invocations, allowing attackers to manipulate program logic or bypass payment requirements. Additionally, accounts created through exploited programs may be controlled by the attacker, further extending the impact.

Reproduction

To reproduce this vulnerability, deploy an Anchor program that requires the system program ID. The program should be designed to assume that the provided system program ID is valid. Once deployed, use a JavaScript script to call the program's instruction, passing in a different program ID instead of the system program ID. The program will accept the invalid ID, leading to the exploitation of the vulnerability.

Remediation

Users can update to Anchor version 1.0.2, which addresses this vulnerability by correcting the program ID validation logic.