-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using Account<T>
with owner
constraint ignores owner
constraint
#3285
Comments
Thanks for creating the issue. I don't think overriding the owner via constraints should be allowed when the account type already has an owner, so the first solution looks to be the best one. Instead of overriding the owner of the account via constraints, we can also potentially support overriding it when annoting the account with the #[account(owner = <PROGRAM_ID>)]
pub struct MyAccount {}
Correct — the documentation should also be updated. |
@acheroncrypto would that account annotation support a flexible I certainly prefer an explicit unchecked over an implicit override. |
I'd like to support @evan-gray's suggestion here, basically something along the lines of |
It could, but I'm not sure if it should.
Something like the following? #[derive(Accounts)]
struct MyIx<'info> {
#[account(owner = other_account.owner)]
generic_owner: GenericOwnerAccount<'info, MyAccount>,
other: Account<'info, OtherAccount>,
}
#[account]
struct MyAccount {
field: u64,
}
#[account]
struct OtherAccount {
owner: Pubkey,
} If so, how do you make sure this is going to be safe? |
Right, something like that!
Not sure I understand -- safety will be achieved through a combination of the owner and other constraints depending on the application (for example a constraint that checks that the owner has to be "registered" via a corresponding PDA or somethint like that). |
Malicious actors can change the account data to whatever they want when an account is owned by an external program (assuming they have the program authority), making the account type unsafe by default, and it would be up to the developer to ensure its safety. |
Summary
When using
Account<T>
alongsideowner
constraint, theAccount
owner check on deserialization makes theowner
constraint mutually exclusive (or redundant at best).Playground Example
In this playground (inspired by this post's solution *), I try to init the
pool_account
and set the owner to be theuser
(signer).On taking a look at the expanded code, I see that it does assign the owner as
user
correctly but when deserializing, it hits theAccountOwnedByWrongProgram
error - it expects the owner to be the calling program when the owner is actually theuser
.* I know this is not a very practical use case as is but this is purely to showcase the error.
Discrepancy in Docs
The 0.30.1 anchor lang docs show this example for using
Account<T>
alongside theowner
constraint:MyData
is probably defined in the calling program (and nottoken_program
) and so we have a case whereT::owner()
is different from theowner
constraint. And the expected behaviour suggests thatdata
/data_two
are owned bytoken_program
and deserialized intoMyData
without any error.Potential Solutions
owner
is used on owner checking types #1749 could be implemented to make it clear thatAccount<T>
andowner
constraint should not be used alongside each other.MyData
should be defined for this to work.eg:- The
owner
trait onMyData
is overriden totoken_program
ID, only then would this work.owner
constraint to be used alongsideAccount<T>
and give theowner
constraint priorityi.e., override the owner check on
Account
deserialization to behave differently whenowner
constraint is used - either skip OR check forowner
constraint owner.The text was updated successfully, but these errors were encountered: