FV-ANC-5-CL3 Not unsetting signer status before a CPI
Bad
let cpi_accounts =vec![ctx.accounts.user.to_account_info()];// User's `is_signer` status is propagated to the callee program without restriction.invoke_signed(&instruction,&cpi_accounts,&[&seeds],)?;
Good
letmut cpi_accounts =vec![ctx.accounts.user.to_account_info()];// Explicitly unset the `is_signer` status, to protect against malicious signer authority misuse by the external programcpi_accounts[0].is_signer =false;invoke_signed(&instruction,&cpi_accounts,&[&seeds],)?;