From 5a99829985610495e93ac3400e9717c7211ec3de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20Mei=C3=9Fner?= Date: Wed, 18 Jun 2025 18:44:40 +0200 Subject: [PATCH] Withdraws SIMD-0163 and explains why in the "Security Considerations" section. --- proposals/0163-lift-cpi-caller-restriction.md | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/proposals/0163-lift-cpi-caller-restriction.md b/proposals/0163-lift-cpi-caller-restriction.md index 1464da63d..2fc18cd9a 100644 --- a/proposals/0163-lift-cpi-caller-restriction.md +++ b/proposals/0163-lift-cpi-caller-restriction.md @@ -5,7 +5,7 @@ authors: - Alexander Meißner category: Standard type: Core -status: Implemented +status: Withdrawn created: 2024-07-16 feature: HcW8ZjBezYYgvcbxNJwqv1t484Y2556qJsfNDWvJGZRH --- @@ -70,7 +70,7 @@ None. ## Impact -See motivation. +See motivation and security considerations. Dapp developers who wish to benefit from the lifting of the restriction shall: @@ -86,7 +86,20 @@ transaction is explicitly left unspecified. ## Security Considerations -None. +For a program to be allowed to modify an account it must be the owner and the +instruction account must have been passed in with the `is_writable` flag set. +Some programs take custody of an accounts ownership and allow control via a +signer authority. In these cases the instruction account must have been passed +in with the `is_signer` flag set additionally. Both these flags can only be set +in the inner most nested CPI if all parent CPIs did also set them. However, +they can not be controlled at per top-level-instruction. All of these +instructions share the same flags throughout the transaction. + +This means the CPI caller restriction has been used as a security feature to +prevent a top-level-instruction from calling into a program which has custody +of an account that another top-level-instruction required as a signer. Removing +this restriction would require a lot more care to be taken in transaction +builing to prevent the relaxation from being exploited. ## Backwards Compatibility