FABLE the hacker
solana

Sealevel · account data matching

sealevel-acct-data
source ↗
The program contains a critical account data matching vulnerability. The `log_message` instruction accepts an arbitrary `AccountInfo` and unpacks it as an SPL Token account without verifying ownership or discriminator. An attacker can pass any account data, causing the program to misinterpret it as a token account and log false information. While this specific instance only logs data (low immediate impact), it demonstrates the insecure pattern that enables account confusion attacks and could be exploited in more damaging contexts.

2 findings

highMissing SPL Token Account Owner Verification
category: account-data-matchingcomponent: lib.rs::log_message
Exploit-relevant detail is embargoed under responsible disclosure. The maintainers have been notified. Full description and fix auto-publish on 6/23/2026.
mediumMissing Token Account Discriminator Validation
category: account-data-matchingcomponent: lib.rs::LogMessageref: lib.rs:24-27

The `token` account is declared as a raw `AccountInfo` without Anchor's typed account wrapper or discriminator validation. This means there is no check that the data actually represents a valid token account—only that it can be unpacked into the `SplTokenAccount` struct. An attacker could craft custom data that deserializes successfully but does not correspond to a legitimate token account state.

fix → Either wrap the account in a proper Anchor account type with discriminator checks, or manually validate the account data length and discriminator byte before unpacking. If using raw `AccountInfo`, consider adding a length check and confirming the account data format matches expectations.