add missing-owner-readme

crytic · Aug 16, 2022 · 7df4eee · 7df4eee
1 parent 660917d
commit 7df4eee
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 18 deletions.
diff --git a/lints/missing_owner_check/README.md b/lints/missing_owner_check/README.md
@@ -2,20 +2,34 @@
 
 **What it does:**
 
+This lint checks that for each account referenced in a program, that there is a
+corresponding owner check on that account. Specifically, this means that the owner
+field is referenced on that account.
+
 **Why is this bad?**
 
-**Known problems:** None.
+The missing-owner-check vulnerability occurs when a program uses an account, but does
+not check that it is owned by the expected program. This could lead to vulnerabilities
+where a malicious actor passes in an account owned by program `X` when what was expected
+was an account owned by program `Y`. The code may then perform unexpected operations
+on that spoofed account.
+
+For example, suppose a program expected an account to be owned by the SPL Token program.
+If no owner check is done on the account, then a malicious actor could pass in an
+account owned by some other program. The code may then perform some actions on the
+unauthorized account that is not owned by the SPL Token program.
+
+**Known problems:**
+
+Key checks can be strengthened. Currently, the lint only checks that the account's owner
+field is referenced somewhere, ie, `AccountInfo.owner`.
 
 **Example:**
 
-```rust
-// example code where a warning is issued
-```
+See https://github.com/coral-xyz/sealevel-attacks/blob/master/programs/2-owner-checks/insecure/src/lib.rs
+for an insecure example.
 
 Use instead:
 
-```rust
-// example code that does not raise a warning
-```
-
-Checks if `expr` is an owner field reference on `account_expr`
+See https://github.com/coral-xyz/sealevel-attacks/blob/master/programs/2-owner-checks/secure/src/lib.rs
+for a secure example.
diff --git a/lints/missing_owner_check/src/lib.rs b/lints/missing_owner_check/src/lib.rs
@@ -17,19 +17,28 @@ use solana_lints::{paths, utils::visit_expr_no_bodies};
 dylint_linting::declare_late_lint! {
     /// **What it does:**
     ///
+    /// This lint checks that for each account referenced in a program, that there is a
+    /// corresponding owner check on that account. Specifically, this means that the owner
+    /// field is referenced on that account.
+    ///
     /// **Why is this bad?**
     ///
-    /// **Known problems:** None.
+    /// The missing-owner-check vulnerability occurs when a program uses an account, but does
+    /// not check that it is owned by the expected program. This could lead to vulnerabilities
+    /// where a malicious actor passes in an account owned by program `X` when what was expected
+    /// was an account owned by program `Y`. The code may then perform unexpected operations
+    /// on that spoofed account.
+
+    /// For example, suppose a program expected an account to be owned by the SPL Token program.
+    /// If no owner check is done on the account, then a malicious actor could pass in an
+    /// account owned by some other program. The code may then perform some actions on the
+    /// unauthorized account that is not owned by the SPL Token program.
+    ///
+    /// **Known problems:**
     ///
-    /// **Example:**
+    /// Key checks can be strengthened. Currently, the lint only checks that the account's owner
+    /// field is referenced somewhere, ie, `AccountInfo.owner`.
     ///
-    /// ```rust
-    /// // example code where a warning is issued
-    /// ```
-    /// Use instead:
-    /// ```rust
-    /// // example code that does not raise a warning
-    /// ```
     pub MISSING_OWNER_CHECK,
     Warn,
     "using an account without checking if its owner is as expected"