Patching a vulnerability
As mentioned in the previous section, our program in its current state has a major vulnerability. It enables a malicious issuer to dupe a recipient into thinking they trustlessly own vested assets, when in reality they don't. Let's apply a methodical approach to find this vulnerability.
Thinking about attack vectors
Very broadly speaking, a vulnerability exists when there is some way to manipulate a program's inputs to make it behave in unexpected ways. This means that patching vulnerabilities means looking at a program's inputs and making sure that those are safe. Solana programs have two different kinds of input with different security implications:
- Instruction data
- Account data
- System variables