During an audit of oracle code, Amin and I discovered that it is still possible to circumvent the new permissions PDA mechanism if you simply don't pass the permissions account. If you as an attacker have control over price/product/mapping private keys, you can use the legacy privkey-based access control, which means the oracle has a significantly larger attack surface than necessary. This change makes the permissions account mandatory and adjusts all affected unit tests.
Summary of changes
program/rust/src/tests/pyth_simulator.rs - always use permissions account in instruction wrappers
program/rust/src/utils.rs - Return error on missing permissions account
program/rust/src/tests/ - Add permissions_account_setup harness assignments to all affected tests.
Review Highlights
program/rust/src/tests/ - Some of the assertions were removed, as they were testing the legacy privkey access control which is no longer available. That said, it's important that useful assertions were not removed.
Motivation
During an audit of oracle code, Amin and I discovered that it is still possible to circumvent the new permissions PDA mechanism if you simply don't pass the permissions account. If you as an attacker have control over price/product/mapping private keys, you can use the legacy privkey-based access control, which means the oracle has a significantly larger attack surface than necessary. This change makes the permissions account mandatory and adjusts all affected unit tests.
Summary of changes
program/rust/src/tests/pyth_simulator.rs
- always use permissions account in instruction wrappersprogram/rust/src/utils.rs
- Return error on missing permissions accountprogram/rust/src/tests/
- Addpermissions_account_setup
harness assignments to all affected tests.Review Highlights
program/rust/src/tests/
- Some of the assertions were removed, as they were testing the legacy privkey access control which is no longer available. That said, it's important that useful assertions were not removed.