Security Scanner Fails to Detect Missing Access Control on Sensitive Account Mutations

[hugomeduarte]

Issue Type

• Bug Report
• Feature Request
• Documentation Improvement
• Other (please specify)

Description

The extension fails to detect missing access control or signer checks when mutating sensitive account fields, such as the owner field in an Anchor program instruction.

Current Behavior

Instructions that allow anyone to modify critical fields (e.g., owner) without verifying the caller’s authority or signer status are not flagged as security issues.

Expected Behavior

The extension should detect and report any instruction that mutates sensitive fields (like owner, authority, balances) without proper access control or signer verification.

Steps To Reproduce (for bugs)

1. Add an instruction to an Anchor program that allows anyone to overwrite the owner field of an account (no access control).
2. Run the extension’s security scan.
3. Observe that no issue is reported.

Possible Solution

Enhance the extension to analyze instructions for mutations of sensitive fields and verify that appropriate access control (e.g., signer checks, authority checks) is present.

Environment (for bugs)

• OS: macOS
• VS Code version: 1.5.5
• Extension version: pre-release
• Solana CLI version: 2.2.12
• Anchor version (if applicable): 0.31.1

Additional Context

Example insecure instruction:

pub fn insecure_instruction(ctx: Context<InitializeUserProfile>) -> Result<()> {
    let user_profile = &mut ctx.accounts.user_profile;
    user_profile.owner = Pubkey::default(); // Overwrite owner to default (insecure)
    Ok(())
}

[maxkup19]

Hi, thank for your issues. Could you please provide the entire example source code?