FV-ANC-5-CL2 CPI without signer seeds
Caveat - if it's a user doing the transfer, not a PDA, empty seeds might be ok
Bad
// CPI signer seeds missing
invoke_signed(&instruction, &accounts, &[]);Good
// Provide signer seeds securely during CPI
let seeds = &[b"vault".as_ref(), &[bump]];
invoke_signed(&instruction, &accounts, &[seeds]);PreviousFV-ANC-5-CL1 Lack of validation of external program before CPINextFV-ANC-5-CL3 Not unsetting signer status before a CPI
Last updated
Was this helpful?