solana
Sealevel · arbitrary CPI
sealevel-arbitrary-cpi
source ↗The program contains a critical CPI (Cross-Program Invocation) vulnerability that allows arbitrary token transfers. The instruction does not validate that the token_program account is actually the SPL Token program, nor does it validate the ownership or nature of the source and destination accounts. An attacker can craft a malicious program and pass it as token_program, causing the vulnerable program to invoke arbitrary instructions on attacker-controlled accounts.
4 findings
criticalUnvalidated CPI Target Program
category: cpi-trustcomponent: lib.rs, cpi() function
Exploit-relevant detail is embargoed under responsible disclosure. The maintainers have been notified. Full description and fix auto-publish on 6/23/2026.
highMissing Account Ownership Validation
category: access-controlcomponent: lib.rs, Cpi struct
Exploit-relevant detail is embargoed under responsible disclosure. The maintainers have been notified. Full description and fix auto-publish on 6/23/2026.
highMissing Signer Validation on Authority
category: signer-checkcomponent: lib.rs, Cpi struct
Exploit-relevant detail is embargoed under responsible disclosure. The maintainers have been notified. Full description and fix auto-publish on 6/23/2026.
highUnvalidated Token Program Account
category: missing-validationcomponent: lib.rs, Cpi struct
Exploit-relevant detail is embargoed under responsible disclosure. The maintainers have been notified. Full description and fix auto-publish on 6/23/2026.