FV-ANC-5-CL1 Lack of validation of external program before CPI
Bad
// Assumes external program is correct without validationlet cpi_program = ctx.accounts.external_program.to_account_info();
Good
// Explicitly verify the target program ID before CPIif ctx.accounts.external_program.key() !=&spl_token::ID {returnErr(ProgramError::IncorrectProgramId);}let cpi_program = ctx.accounts.external_program.to_account_info();