critical · arbitrary signer

Every bug, proved by exploit.

Most AI tools flood your inbox with maybes. We don’t. Every bug we flag is paired with a synthesized proof-of-concept that runs against your program and a root-cause walk-through. Anything we can’t exploit gets dropped or downgraded to a note — so the bugs you review are bugs we proved.

› proof-of-concept exploit, verified

› detailed root-cause walk-through

› context-aware to your program

› Solana primitive + CWE

signal, not slop

Stop wading through AI noise.

Our validation engine drops any candidate that can’t produce a working PoC. The list you see is the list of bugs worth your time.

HH-3148 · withdraw_vault/src/lib.rs

poc ✓ critical

{/* Vulnerable code */}

vulnerable

#[derive(Accounts)] pub struct Withdraw{`<'info> {`} {` `}~~{'// authority is never constrained as a signer'}~~ {` #[`}~~account~~{`(mut)]`} {` `}pub{` vault: `}Account{`<'info, `}Vault{`>,`} {` `}pub{` authority: `}AccountInfo{`<'info>,`} {` `}pub{` token_program: `}Program{`<'info, `}Token{`>,`} {`}`}

{/* Root cause */}

root cause cwe-862 · solana/signer

authority is declared as AccountInfo, which performs no signer check. Anchor only enforces the signer constraint when the field is typed Signer or bound by has_one. The #[account(mut)] macro does not, so any account can be supplied as the withdrawal authority and drain the vault.

{/* PoC */}

proof-of-concept tests/poc/HH-3148.ts

{` `}const{` attacker = `}Keypair{`.generate();`} {` `}await{` program.methods.`}~~withdraw~~{`(`}~~amount~~{`)`} {` .accounts({ vault, authority: attacker.publicKey })`} {` .rpc(); `}~~{'// drained without victim signature'}~~

verified ✓ exploit lands in 0.42s · vault drained open finding →