FABLE the hacker
solana

Sealevel · signer authorization

sealevel-signer-auth
source ↗
The program has a critical signer authorization vulnerability. The LogMessage instruction accepts any AccountInfo as the 'authority' parameter without verifying that it was actually signed by the transaction signer. An attacker can pass any account they control or even any account belonging to another user, and the program will log it as if that account authorized the action. This allows arbitrary impersonation and violates the fundamental security principle that sensitive operations should only proceed when authorized by the actual signer.

1 findings

criticalMissing Signer Constraint on Authority Account
category: signer-checkcomponent: lib.rs, LogMessage struct
Exploit-relevant detail is embargoed under responsible disclosure. The maintainers have been notified. Full description and fix auto-publish on 6/23/2026.