solana
Sealevel · owner checks
sealevel-owner-checks
source ↗The program performs an owner check, but relies on the caller to provide the correct token account without proper validation. An attacker can pass any arbitrary token account they control and if they are its owner, the check will pass, allowing them to log balances of accounts they shouldn't have access to and potentially leak information or be chained with other operations that assume account ownership constraints.
1 findings
highMissing Token Account Validation
category: access-controlcomponent: lib.rs:log_message()
Exploit-relevant detail is embargoed under responsible disclosure. The maintainers have been notified. Full description and fix auto-publish on 6/23/2026.