PantsirПанцирь
Preparing access
Checking your lab membership...
Created 10 Feb 2026Updated 13 Feb 2026
Solana Vault Escrow (Broken Access Control)
An Anchor escrow vault program allows unauthorized emergency withdrawals because signer status is checked without authority equality validation.
rust340 pts40 min

Story

Your Web3 platform uses a Solana escrow vault for enterprise project funds. The operations team requested an emergency withdrawal path in case integrations fail and funds must be recovered quickly.

A security reviewer reports that any signer can trigger emergency withdrawal, not just the configured vault authority.

System Context

This Anchor workspace includes:

  • vault initialization with authority binding
  • SOL deposit flow
  • emergency withdrawal instruction

The intended control is strict: only vault.authority may execute emergency withdrawal.

Problem

The emergency transfer instruction verifies that a signature exists for the requester account, but it does not enforce that this requester matches the authority stored in vault state. That distinction is critical on-chain: a valid signer is not automatically an authorized signer. Without identity binding, the withdrawal path can be invoked by accounts outside the intended authority boundary.

Goal

Find the exact vulnerable line in the project code.

Content locked
Join this lab to access the content.
.gitignoreplaintext