Skip to content

fix: prevent cross-wallet authority deletion in RemoveAuthority (Issue #3)#25

Merged
onspeedhp merged 1 commit into
mainfrom
fix/remove-authority-cross-wallet-vulnerability
Feb 6, 2026
Merged

fix: prevent cross-wallet authority deletion in RemoveAuthority (Issue #3)#25
onspeedhp merged 1 commit into
mainfrom
fix/remove-authority-cross-wallet-vulnerability

Conversation

@onspeedhp
Copy link
Copy Markdown
Member

@onspeedhp onspeedhp commented Feb 6, 2026

  • Add wallet validation for target authority in process_remove_authority
  • Ensures target_header.wallet matches wallet_pda before any role checks
  • Prevents malicious owners from deleting authorities from other wallets
  • Add comprehensive E2E test coverage for cross-wallet attack scenarios
  • Tests verify Owner cannot remove/add authorities or execute on other wallets

Security Impact:

  • CRITICAL: Fixes cross-wallet authority deletion vulnerability
  • Blocks unauthorized access to other wallet's authorities
  • Prevents DoS via mass authority deletion
  • Eliminates privilege escalation attack vector

@onspeedhp
fix: prevent cross-wallet authority deletion in RemoveAuthority (Issue
e79ade0 
…#3)

- Add wallet validation for target authority in process_remove_authority
- Ensures target_header.wallet matches wallet_pda before any role checks
- Prevents malicious owners from deleting authorities from other wallets
- Add comprehensive E2E test coverage for cross-wallet attack scenarios
- Tests verify Owner cannot remove/add authorities or execute on other wallets

Security Impact:
- CRITICAL: Fixes cross-wallet authority deletion vulnerability
- Blocks unauthorized access to other wallet's authorities
- Prevents DoS via mass authority deletion
- Eliminates privilege escalation attack vector

Fixes #3
@onspeedhp onspeedhp merged commit 9d68336 into main Feb 6, 2026
3 checks passed
@onspeedhp onspeedhp deleted the fix/remove-authority-cross-wallet-vulnerability branch February 6, 2026 12:56
onspeedhp added a commit that referenced this pull request Apr 7, 2026
@onspeedhp
Merge pull request #25 from lazor-kit/fix/remove-authority-cross-wall…
8809c41 
…et-vulnerability

fix: prevent cross-wallet authority deletion in RemoveAuthority (Issue #3)
onspeedhp added a commit that referenced this pull request Apr 7, 2026
@onspeedhp
Merge pull request #25 from lazor-kit/fix/remove-authority-cross-wall…
165b6d5 
…et-vulnerability

fix: prevent cross-wallet authority deletion in RemoveAuthority (Issue #3)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@onspeedhp