Patching a vulnerability

As mentioned in the previous section, our program in its current state has a major vulnerability. It enables a malicious issuer to dupe a recipient into thinking they trustlessly own vested assets, when in reality they don't. Let's apply a methodical approach to find this vulnerability.

Thinking about attack vectors

Very broadly speaking, a vulnerability exists when there is some way to manipulate a program's inputs to make it behave in unexpected ways. This means that patching vulnerabilities means looking at a program's inputs and making sure that those are safe. Solana programs have two different kinds of input with different security implications:

  • Instruction data
  • Account data
  • System variables