Skip to content

brainblast v0.7.1 — Anchor/Rust security checkers

Choose a tag to compare

View all tags
@DSB-117 DSB-117 released this 20 Jun 03:23
· 5 commits to main since this release
v0.7.1
7953bb7
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Pillar 2: Anchor/Rust Security Checkers — three new static checker kinds for Solana programs written with the Anchor framework, plus 6 fixtures and full test coverage.

New rules

  • anchor-signer-constraint-missing (CRITICAL) — authority-named account fields (authority, admin, owner, payer, …) typed as AccountInfo<'info> without a signer constraint or Signer<'info> type. Anchor performs no signing check on AccountInfo — any key can be passed as the authority and privileged instructions execute without signature validation. Fix: use Signer<'info> or add #[account(signer)].

  • anchor-unchecked-account-type (HIGH) — UncheckedAccount<'info> fields in instruction handlers. Anchor requires a /// CHECK: comment but performs zero runtime validation — ownership, signer status, and data layout are unchecked. Fix: replace with Account<'info, T>, Signer<'info>, or SystemAccount<'info>.

  • anchor-pda-find-program-address (HIGH) — Pubkey::find_program_address calls inside handler bodies. Expensive (up to 255 SHA256 hashes/call) and unsafe (may silently use a non-canonical bump). Fix: use #[account(seeds=[...], bump=state.bump)] — Anchor re-derives and verifies at zero cost.

  • Updated logo: assets/brainblast.png replaces assets/brainblast.jpg.

  • 348/348 tests green.

Install/upgrade the npm CLI:

npx brainblast@0.7.1

The brainblast CLI publishes to npm automatically via the brainblast-v0.7.1 tag (publish-cli workflow).

Assets 2
Loading