Closing Accounts and Revival Attacks
Lesson Objectives
By the end of this lesson, you will be able to:
- Explain the various security vulnerabilities associated with closing program accounts incorrectly
- Close program accounts safely and securely using native Rust
- Close program accounts safely and securely using the Anchor close constraint
TL;DR
- Closing an account improperly creates an opportunity for reinitialization/revival attacks
- The Solana runtime garbage collects accounts when they are no longer rent exempt. Closing accounts involves transferring the lamports stored in the account for rent exemption to another account of your choosing.
- You can use the Anchor #[account(close = <address_to_send_lamports>)] constraint to securely close accounts and set the account discriminator to the CLOSED_ACCOUNT_DISCRIMINATOR
1#[account(mut, close = receiver)] 2pub data_account: Account<'info, MyData>, 3#[account(mut)] 4pub receiver: SystemAccount<'info>
Overview
While it sounds simple, closing accounts properly can be tricky. There are a number of ways an attacker could circumvent having the account closed if you don't follow specific steps.
To get a better understanding of these attack vectors, let’s explore each of these scenarios in depth.
Insecure account closing
At its core, closing an account involves transferring its lamports to a separate account, thus triggering the Solana runtime to garbage collect the first account. This resets the owner from the owning program to the system program.
Take a look at the example below. The instruction requires two accounts:
- account_to_close - the account to be closed
- destination - the account that should receive the closed account’s lamports
The program logic is intended to close an account by simply increasing the destination account’s lamports by the amount stored in the account_to_close and setting the account_to_close lamports to 0. With this program, after a full transaction is processed, the account_to_close will be garbage collected by the runtime.
1use anchor_lang::prelude::*; 2 3declare_id!("Fg6PaFpoGXkYsidMpWTK6W2BeZ7FEfcYkg476zPFsLnS"); 4 5#[program] 6pub mod closing_accounts_insecure { 7 use super::*; 8 9 pub fn close(ctx: Context<Close>) -> ProgramResult { 10 let dest_starting_lamports = ctx.accounts.destination.lamports(); 11 12 **ctx.accounts.destination.lamports.borrow_mut() = dest_starting_lamports 13 .checked_add(ctx.accounts.account_to_close.to_account_info().lamports()) 14 .unwrap(); 15 **ctx.accounts.account_to_close.to_account_info().lamports.borrow_mut() = 0; 16 17 Ok(()) 18 } 19} 20 21#[derive(Accounts)] 22pub struct Close<'info> { 23 account_to_close: Account<'info, Data>, 24 destination: AccountInfo<'info>, 25} 26 27#[account] 28pub struct Data { 29 data: u64, 30}
However, the garbage collection doesn't occur until the transaction completes. And since there can be multiple instructions in a transaction, this creates an opportunity for an attacker to invoke the instruction to close the account but also include in the transaction a transfer to refund the account's rent exemption lamports. The result is that the account will not be garbage collected, opening up a path for the attacker to cause unintended behavior in the program and even drain a protocol.
Secure account closing
The two most important things you can do to close this loophole are to zero out the account data and add an account discriminator that represents the account has been closed. You need both of these things to avoid unintended program behavior.
An account with zeroed out data can still be used for some things, especially if it's a PDA whose address derivation is used within the program for verification purposes. However, the damage may be potentially limited if the attacker can't access the previously-stored data.
To further secure the program, however, closed accounts should be given an account discriminator that designates it as "closed," and all instructions should perform checks on all passed-in accounts that return an error if the account is marked closed.
Look at the example below. This program transfers the lamports out of an account, zeroes out the account data, and sets an account discriminator in a single instruction in hopes of preventing a subsequent instruction from utilizing this account again before it has been garbage collected. Failing to do any one of these things would result in a security vulnerability.
1use anchor_lang::prelude::*; 2use std::io::Write; 3use std::ops::DerefMut; 4 5declare_id!("Fg6PaFpoGXkYsidMpWTK6W2BeZ7FEfcYkg476zPFsLnS"); 6 7#[program] 8pub mod closing_accounts_insecure_still_still { 9 use super::*; 10 11 pub fn close(ctx: Context<Close>) -> ProgramResult { 12 let account = ctx.accounts.account.to_account_info(); 13 14 let dest_starting_lamports = ctx.accounts.destination.lamports(); 15 16 **ctx.accounts.destination.lamports.borrow_mut() = dest_starting_lamports 17 .checked_add(account.lamports()) 18 .unwrap(); 19 **account.lamports.borrow_mut() = 0; 20 21 let mut data = account.try_borrow_mut_data()?; 22 for byte in data.deref_mut().iter_mut() { 23 *byte = 0; 24 } 25 26 let dst: &mut [u8] = &mut data; 27 let mut cursor = std::io::Cursor::new(dst); 28 cursor 29 .write_all(&anchor_lang::__private::CLOSED_ACCOUNT_DISCRIMINATOR) 30 .unwrap(); 31 32 Ok(()) 33 } 34} 35 36#[derive(Accounts)] 37pub struct Close<'info> { 38 account: Account<'info, Data>, 39 destination: AccountInfo<'info>, 40} 41 42#[account] 43pub struct Data { 44 data: u64, 45}
Note that the example above is using Anchor's CLOSED_ACCOUNT_DISCRIMINATOR. This is simply an account discriminator where each byte is 255. The discriminator doesn't have any inherent meaning, but if you couple it with account validation checks that return errors any time an account with this discriminator is passed to an instruction, you'll stop your program from unintentionally processing an instruction with a closed account.
Manual Force Defund
There is still one small issue. While the practice of zeroing out account data and adding a "closed" account discriminator will stop your program from being exploited, a user can still keep an account from being garbage collected by refunding the account's lamports before the end of an instruction. This results in one or potentially many accounts existing in a limbo state where they cannot be used but also cannot be garbage collected.
To handle this edge case, you may consider adding an instruction that will allow anyone to defund accounts tagged with the "closed" account discriminator. The only account validation this instruction would perform is to ensure that the account being defunded is marked as closed. It may look something like this:
1use anchor_lang::__private::CLOSED_ACCOUNT_DISCRIMINATOR; 2use anchor_lang::prelude::*; 3use std::io::{Cursor, Write}; 4use std::ops::DerefMut; 5 6... 7 8 pub fn force_defund(ctx: Context<ForceDefund>) -> ProgramResult { 9 let account = &ctx.accounts.account; 10 11 let data = account.try_borrow_data()?; 12 assert!(data.len() > 8); 13 14 let mut discriminator = [0u8; 8]; 15 discriminator.copy_from_slice(&data[0..8]); 16 if discriminator != CLOSED_ACCOUNT_DISCRIMINATOR { 17 return Err(ProgramError::InvalidAccountData); 18 } 19 20 let dest_starting_lamports = ctx.accounts.destination.lamports(); 21 22 **ctx.accounts.destination.lamports.borrow_mut() = dest_starting_lamports 23 .checked_add(account.lamports()) 24 .unwrap(); 25 **account.lamports.borrow_mut() = 0; 26 27 Ok(()) 28 } 29 30... 31 32#[derive(Accounts)] 33pub struct ForceDefund<'info> { 34 account: AccountInfo<'info>, 35 destination: AccountInfo<'info>, 36}
Since anyone can call this instruction, this can act as a deterrent to attempted revival attacks since the attacker is paying for account rent exemption but anyone else can claim the lamports in a refunded account for themselves.
While not necessary, this can help eliminate the waste of space and lamports associated with these "limbo" accounts.
Use the Anchor close constraint
Fortunately, Anchor makes all of this much simpler with the #[account(close = <target_account>)] constraint. This constraint handles everything required to securely close an account:
- Transfers the account’s lamports to the given <target_account>
- Zeroes out the account data
- Sets the account discriminator to the CLOSED_ACCOUNT_DISCRIMINATOR variant
All you have to do is add it in the account validation struct to the account you want closed:
1#[derive(Accounts)] 2pub struct CloseAccount { 3 #[account( 4 mut, 5 close = receiver 6 )] 7 pub data_account: Account<'info, MyData>, 8 #[account(mut)] 9 pub receiver: SystemAccount<'info> 10}
The force_defund instruction is an optional addition that you’ll have to implement on your own if you’d like to utilize it.
Demo
To clarify how an attacker might take advantage of a revival attack, let's work with a simple lottery program that uses program account state to manage a user's participation in the lottery.
1. Setup
Start by getting the code on the starter branch from the following repo.
The code has two instructions on the program and two tests in the tests directory.
The program instructions are:
- enter_lottery
- redeem_rewards_insecure
When a user calls enter_lottery, the program will initialize an account to store some state about the user's lottery entry.
Since this is a simplified example rather than a fully-fledge lottery program, once a user has entered the lottery they can call the redeem_rewards_insecure instruction at any time. This instruction will mint the user an amount of Reward tokens proportional to the amount of times the user has entered the lottery. After minting the rewards, the program closes the user's lottery entry.
Take a minute to familiarize yourself with the program code. The enter_lottery instruction simply creates an account at a PDA mapped to the user and initializes some state on it.
The redeem_rewards_insecure instruction performs some account and data validation, mints tokens to the given token account, then closes the lottery account by removing its lamports.
However, notice the redeem_rewards_insecure instruction only transfers out the account's lamports, leaving the account open to revival attacks.
2. Test Insecure Program
An attacker that successfully keeps their account from closing can then call redeem_rewards_insecure multiple times, claiming more rewards than they are owed.
Some starter tests have already been written that showcase this vulnerability. Take a look at the closing-accounts.ts file in the tests directory. There is some setup in the before function, then a test that simply creates a new lottery entry for attacker.
Finally, there's a test that demonstrates how an attacker can keep the account alive even after claiming rewards and then claim rewards again. That test looks like this:
1it("attacker can close + refund lottery acct + claim multiple rewards", async () => { 2 // claim multiple times 3 for (let i = 0; i < 2; i++) { 4 const tx = new Transaction() 5 // instruction claims rewards, program will try to close account 6 tx.add( 7 await program.methods 8 .redeemWinningsInsecure() 9 .accounts({ 10 lotteryEntry: attackerLotteryEntry, 11 user: attacker.publicKey, 12 userAta: attackerAta, 13 rewardMint: rewardMint, 14 mintAuth: mintAuth, 15 tokenProgram: TOKEN_PROGRAM_ID, 16 }) 17 .instruction() 18 ) 19 20 // user adds instruction to refund dataAccount lamports 21 const rentExemptLamports = 22 await provider.connection.getMinimumBalanceForRentExemption( 23 82, 24 "confirmed" 25 ) 26 tx.add( 27 SystemProgram.transfer({ 28 fromPubkey: attacker.publicKey, 29 toPubkey: attackerLotteryEntry, 30 lamports: rentExemptLamports, 31 }) 32 ) 33 // send tx 34 await sendAndConfirmTransaction(provider.connection, tx, [attacker]) 35 await new Promise((x) => setTimeout(x, 5000)) 36 } 37 38 const ata = await getAccount(provider.connection, attackerAta) 39 const lotteryEntry = await program.account.lotteryAccount.fetch( 40 attackerLotteryEntry 41 ) 42 43 expect(Number(ata.amount)).to.equal( 44 lotteryEntry.timestamp.toNumber() * 10 * 2 45 ) 46})
This test does the following:
- Calls redeem_rewards_insecure to redeem the user's rewards
- In the same transaction, adds an instruction to refund the user's lottery_entry before it can actually be closed
- Successfully repeats steps 1 and 2, redeeming rewards for a second time.
You can theoretically repeat steps 1-2 infinitely until either a) the program has no more rewards to give or b) someone notices and patches the exploit. This would obviously be a severe problem in any real program as it allows a malicious attacker to drain an entire rewards pool.
3. Create a redeem_rewards_secure instruction
To prevent this from happening we're going to create a new instruction that closes the lottery account seucrely using the Anchor close constraint. Feel free to try this out on your own if you'd like.
The new account validation struct called RedeemWinningsSecure should look like this:
1#[derive(Accounts)] 2pub struct RedeemWinningsSecure<'info> { 3 // program expects this account to be initialized 4 #[account( 5 mut, 6 seeds = [user.key().as_ref()], 7 bump = lottery_entry.bump, 8 has_one = user, 9 close = user 10 )] 11 pub lottery_entry: Account<'info, LotteryAccount>, 12 #[account(mut)] 13 pub user: Signer<'info>, 14 #[account( 15 mut, 16 constraint = user_ata.key() == lottery_entry.user_ata 17 )] 18 pub user_ata: Account<'info, TokenAccount>, 19 #[account( 20 mut, 21 constraint = reward_mint.key() == user_ata.mint 22 )] 23 pub reward_mint: Account<'info, Mint>, 24 ///CHECK: mint authority 25 #[account( 26 seeds = [MINT_SEED.as_bytes()], 27 bump 28 )] 29 pub mint_auth: AccountInfo<'info>, 30 pub token_program: Program<'info, Token> 31}
It should be the exact same as the original RedeemWinnings account validation struct, except there is an additional close = user constraint on the lottery_entry account. This will tell Anchor to close the account by zeroing out the data, transferring its lamports to the user account, and setting the account discriminator to the CLOSED_ACCOUNT_DISCRIMINATOR. This last step is what will prevent the account from being used again if the program has attempted to close it already.
Then, we can create a mint_ctx method on the new RedeemWinningsSecure struct to help with the minting CPI to the token program.
1impl<'info> RedeemWinningsSecure <'info> { 2 pub fn mint_ctx(&self) -> CpiContext<'_, '_, '_, 'info, MintTo<'info>> { 3 let cpi_program = self.token_program.to_account_info(); 4 let cpi_accounts = MintTo { 5 mint: self.reward_mint.to_account_info(), 6 to: self.user_ata.to_account_info(), 7 authority: self.mint_auth.to_account_info() 8 }; 9 10 CpiContext::new(cpi_program, cpi_accounts) 11 } 12}
Finally, the logic for the new secure instruction should look like this:
1pub fn redeem_winnings_secure(ctx: Context<RedeemWinningsSecure>) -> Result<()> { 2 3 msg!("Calculating winnings"); 4 let amount = ctx.accounts.lottery_entry.timestamp as u64 * 10; 5 6 msg!("Minting {} tokens in rewards", amount); 7 // program signer seeds 8 let auth_bump = *ctx.bumps.get("mint_auth").unwrap(); 9 let auth_seeds = &[MINT_SEED.as_bytes(), &[auth_bump]]; 10 let signer = &[&auth_seeds[..]]; 11 12 // redeem rewards by minting to user 13 mint_to(ctx.accounts.mint_ctx().with_signer(signer), amount)?; 14 15 Ok(()) 16}
This logic simply calculates the rewards for the claiming user and transfers the rewards. However, because of the close constraint in the account validation struct, the attacker shouldn't be able to call this instruction multiple times.
4. Test the Program
To test our new secure instruction, let's create a new test that trys to call redeemingWinningsSecure twice. We expect the second call to throw an error.
1it("attacker cannot claim multiple rewards with secure claim", async () => { 2 const tx = new Transaction() 3 // instruction claims rewards, program will try to close account 4 tx.add( 5 await program.methods 6 .redeemWinningsSecure() 7 .accounts({ 8 lotteryEntry: attackerLotteryEntry, 9 user: attacker.publicKey, 10 userAta: attackerAta, 11 rewardMint: rewardMint, 12 mintAuth: mintAuth, 13 tokenProgram: TOKEN_PROGRAM_ID, 14 }) 15 .instruction() 16 ) 17 18 // user adds instruction to refund dataAccount lamports 19 const rentExemptLamports = 20 await provider.connection.getMinimumBalanceForRentExemption( 21 82, 22 "confirmed" 23 ) 24 tx.add( 25 SystemProgram.transfer({ 26 fromPubkey: attacker.publicKey, 27 toPubkey: attackerLotteryEntry, 28 lamports: rentExemptLamports, 29 }) 30 ) 31 // send tx 32 await sendAndConfirmTransaction(provider.connection, tx, [attacker]) 33 34 try { 35 await program.methods 36 .redeemWinningsSecure() 37 .accounts({ 38 lotteryEntry: attackerLotteryEntry, 39 user: attacker.publicKey, 40 userAta: attackerAta, 41 rewardMint: rewardMint, 42 mintAuth: mintAuth, 43 tokenProgram: TOKEN_PROGRAM_ID, 44 }) 45 .signers([attacker]) 46 .rpc() 47 } catch (error) { 48 console.log(error.message) 49 expect(error) 50 } 51})
Run anchor test to see that the test passes. The output will look something like this:
1closing-accounts 2 ✔ Enter lottery (451ms) 3 ✔ attacker can close + refund lottery acct + claim multiple rewards (18760ms) 4AnchorError caused by account: lottery_entry. Error Code: AccountDiscriminatorMismatch. Error Number: 3002. Error Message: 8 byte discriminator did not match what was expected. 5 ✔ attacker cannot claim multiple rewards with secure claim (414ms)
Note, this does not prevent the malicious user from refunding their account altogether - it just protects our program from accidentally re-using the account when it should be closed. We haven't implemented a force_defund instruction so far, but we could. If you're feeling up for it, give it a try yourself!
The simplest and most secure way to close accounts is using Anchor's close constraint. If you ever need more custom behavior and can't use this constraint, make sure to replicate its functionality to ensure your program is secure.
If you want to take a look at the final solution code you can find it on the solution branch of the same repository.
Challenge
Just as with other lessons in this module, your opportunity to practice avoiding this security exploit lies in auditing your own or other programs.
Take some time to review at least one program and ensure that when accounts are closed they're not susceptible to revival attacks.
Remember, if you find a bug or exploit in somebody else's program, please alert them! If you find one in your own program, be sure to patch it right away.