Agent skill

cpi-security

Trigger Pattern CPI flag detected (invoke/invoke_signed/CpiContext usage) - Inject Into Breadth agents, depth agents

View SKILL.md on GitHub Repository
Stars 215
Forks 33

Install this agent skill to your Project

npx add-skill https://github.com/PlamenTSV/plamen/tree/main/agents/skills/solana/cpi-security

SKILL.md

CPI_SECURITY Skill

Trigger Pattern: CPI flag detected (invoke/invoke_signed/CpiContext usage) Inject Into: Breadth agents, depth agents Finding prefix: [CPI-N] Rules referenced: S3, S5, R1, R4

For every Cross-Program Invocation (CPI) in the Solana program:

1. CPI Target Inventory

Enumerate ALL CPI calls:

# Location CPI Type Target Program Target Instruction Accounts Forwarded Signers Forwarded
1 {file:line} invoke/invoke_signed/CpiContext {program_id} {instruction} {list} {list}

2. Target Program Validation

For each CPI call, verify the target program ID:

CPI Program ID Source Hardcoded/Validated? Spoofable?
{cpi} {where program_id comes from} Hardcoded constant / Validated against known / FROM USER INPUT {if from input: CRITICAL finding}

Attack (S3): If program ID comes from user input without validation, attacker substitutes a malicious program that mimics the expected interface but steals funds. Defense: Always validate program ID against a hardcoded constant or well-known program address.

3. Signer Privilege Tracing

For each CPI that forwards signers:

CPI Signer Source Privilege Level Should Forward? Over-Privileged?
{cpi} {PDA / user wallet / authority} {what the signer can do in target} YES/NO {if forwarding more privilege than needed}

Attack: Forwarding user's wallet as signer to a CPI target that uses it for unintended operations. Pattern: PDA signers via invoke_signed are safe (program-controlled). User wallet forwarding needs careful scoping.

4. Account Reload Audit (S5 - CRITICAL)

For each CPI call, check what accounts are read AFTER the CPI returns:

CPI Accounts Modified by Target Read After CPI? reload() Called? Owner Re-checked?
{cpi} {list accounts CPI can modify} YES/NO YES/NO YES/NO

Attack (S5): CPI target modifies account data. Caller reads stale cached data without reload(). CRITICAL: Anchor's reload() refreshes data but does NOT re-verify the account owner. A CPI target could assign the account to a different program. After reload(), the data is fresh but the owner may have changed. Full defense: After CPI, both reload() AND re-check account.owner.

5. Lamport Balance Conservation

For each CPI that transfers SOL:

CPI Expected Lamport Change Actual Change Verified? Drain Risk?
{cpi} {expected delta} YES/NO {if NO: CPI could drain more than expected}

Attack: CPI target drains more lamports than expected from accounts owned by the caller's program. Defense: Check lamport balances before and after CPI; verify delta matches expected amount.

6. Account Owner Check Post-CPI

For each CPI that could modify account ownership:

CPI Can Target Call system_program::assign? Owner Checked After CPI? Risk
{cpi} YES/NO YES/NO {if YES and NO: account hijacking}

Attack: CPI target uses system_program::assign to change account owner to attacker-controlled program. Caller continues using the account assuming it's still owned by its program.

7. CPI Depth Analysis

For each code path with nested CPIs:

Entry Point CPI Chain Max Depth CU Cost Estimate Risk
{instruction} {A → B → C} {depth} {estimate} {CU exhaustion?}

Solana limit: CPI depth capped at 4 levels. Check if deep chains approach this limit.

Finding Template

markdown
**ID**: [CPI-N]
**Severity**: [based on impact: fund theft via program spoofing = Critical, stale data = High]
**Step Execution**: ✓1,2,3,4,5,6,7 | ✗(reasons) | ?(uncertain)
**Rules Applied**: [S3:✓, S5:✓, R1:✓, R4:✓/✗]
**Location**: program/src/{file}.rs:LineN
**Title**: [CPI issue type] in [instruction] enables [attack]
**Description**: [Specific CPI vulnerability with call chain trace]
**Impact**: [Fund theft / state corruption / privilege escalation]

Step Execution Checklist (MANDATORY)

Section Required Completed? Notes
1. CPI Target Inventory YES ✓/✗/? For every CPI
2. Target Program Validation YES ✓/✗/? For every CPI
3. Signer Privilege Tracing YES ✓/✗/? For every CPI with signers
4. Account Reload Audit YES ✓/✗/? CRITICAL - most common CPI bug
5. Lamport Balance Conservation IF SOL transfers ✓/✗(N/A)/?
6. Account Owner Check Post-CPI YES ✓/✗/? assign attack prevention
7. CPI Depth Analysis IF nested CPIs ✓/✗(N/A)/? CU exhaustion risk

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

PlamenTSV/plamen

integration-hazard-research

Protocol Type Trigger NAMED_EXTERNAL_PROTOCOL (detected when recon finds import/interface for an identifiable external protocol — not standard libraries). Researches known integration hazards of the target protocol.

215 33
Explore
PlamenTSV/plamen

outcome-determinism

Protocol Type Trigger outcome_determinism - detected when EITHER of these code patterns are present - - Selection from finite depletable pool with fallback behavior (while(full)...

215 33
Explore
PlamenTSV/plamen

governance-attack-vectors

Protocol Type Trigger governance (detected when Governor, Timelock, voting, proposal, quorum, delegate patterns found) - Inject Into Breadth agents, depth-external, depth-edge-case

215 33
Explore
PlamenTSV/plamen

vault-accounting

Protocol Type Trigger vault (detected in recon TASK 0 Step 1) - Inject Into Core state agent OR economic design agent (merge via M4 hierarchy)

215 33
Explore
PlamenTSV/plamen

lending-protocol-security

Protocol Type Trigger lending (detected when recon finds liquidate|borrow|repay|collateral|lend|loan|LTV|healthFactor|interestRate|debtToken) - Inject Into Breadth agents, depth...

215 33
Explore
PlamenTSV/plamen

dex-integration-security

Protocol Type Trigger dex_integration (detected when recon finds swap|addLiquidity|removeLiquidity|IUniswapV2Router|ISwapRouter|amountOutMin|amountOutMinimum|slippage - AND the...

215 33
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results