mirror of
https://github.com/logos-blockchain/lez-programs.git
synced 2026-05-18 15:09:51 +00:00
e69c9107f0
An attacker could pass user holding accounts owned by a malicious token program. Since chained calls are dispatched to the program_owner of the user holding account, a fake program could accept the transfer instruction without actually moving tokens. Add assertions in add_liquidity, remove_liquidity, swap_exact_input, and swap_exact_output that user_holding_a and user_holding_b must share the same program_owner as vault_a. The vault accounts are PDA-verified via their account_id, making vault_a's program_owner the authenticated reference. new_definition already validated that both user holdings use the same program. Adds 8 regression tests covering the wrong-program case for each operation and each user holding slot. Closes #69