How to close program accounts safely and securely in Anchor and native Rust.
#[account(close = <address_to_send_lamports>)]
constraint to securely close accounts and set the account discriminator to the
CLOSED_ACCOUNT_DISCRIMINATOR
account_to_close
- the account to be closeddestination
- the account that should receive the closed account’s lamportsdestination
account’s lamports by the amount stored in the account_to_close
and setting the account_to_close
lamports to 0. With this program, after a
full transaction is processed, the account_to_close
will be garbage collected
by the runtime.
CLOSED_ACCOUNT_DISCRIMINATOR
.
This is simply an account discriminator where each byte is 255
. The
discriminator doesn’t have any inherent meaning, but if you couple it with
account validation checks that return errors any time an account with this
discriminator is passed to an instruction, you’ll stop your program from
unintentionally processing an instruction with a closed account.
close
constraint#[account(close = <target_account>)]
constraint. This constraint handles
everything required to securely close an account:
<target_account>
CLOSED_ACCOUNT_DISCRIMINATOR
variantforce_defund
instruction is an optional addition that you’ll have to
implement on your own if you’d like to utilize it.
starter
branch from the
following repo.
The code has two instructions on the program and two tests in the tests
directory.
The program instructions are:
enter_lottery
redeem_rewards_insecure
enter_lottery
, the program will initialize an account to
store some state about the user’s lottery entry.
Since this is a simplified example rather than a fully-fledge lottery program,
once a user has entered the lottery they can call the redeem_rewards_insecure
instruction at any time. This instruction will mint the user an amount of Reward
tokens proportional to the amount of times the user has entered the lottery.
After minting the rewards, the program closes the user’s lottery entry.
Take a minute to familiarize yourself with the program code. The enter_lottery
instruction simply creates an account at a PDA mapped to the user and
initializes some state on it.
The redeem_rewards_insecure
instruction performs some account and data
validation, mints tokens to the given token account, then closes the lottery
account by removing its lamports.
However, notice the redeem_rewards_insecure
instruction only transfers out
the account’s lamports, leaving the account open to revival attacks.
redeem_rewards_insecure
multiple times, claiming more rewards than they are
owed.
Some starter tests have already been written that showcase this vulnerability.
Take a look at the closing-accounts.ts
file in the tests
directory. There is
some setup in the before
function, then a test that simply creates a new
lottery entry for attacker
.
Finally, there’s a test that demonstrates how an attacker can keep the account
alive even after claiming rewards and then claim rewards again. That test looks
like this:
redeem_rewards_insecure
to redeem the user’s rewardslottery_entry
before it can actually be closedredeem_rewards_secure
instructionclose
constraint. Feel
free to try this out on your own if you’d like.
The new account validation struct called RedeemWinningsSecure
should look like
this:
RedeemWinnings
account validation
struct, except there is an additional close = user
constraint on the
lottery_entry
account. This will tell Anchor to close the account by zeroing
out the data, transferring its lamports to the user
account, and setting the
account discriminator to the CLOSED_ACCOUNT_DISCRIMINATOR
. This last step is
what will prevent the account from being used again if the program has attempted
to close it already.
Then, we can create a mint_ctx
method on the new RedeemWinningsSecure
struct
to help with the minting CPI to the token program.
close
constraint in the account validation
struct, the attacker shouldn’t be able to call this instruction multiple times.
redeemingWinningsSecure
twice. We expect the second call to throw an error.
anchor test
to see that the test passes. The output will look something
like this:
force_defund
instruction so
far, but we could. If you’re feeling up for it, give it a try yourself!
The simplest and most secure way to close accounts is using Anchor’s close
constraint. If you ever need more custom behavior and can’t use this constraint,
make sure to replicate its functionality to ensure your program is secure.
If you want to take a look at the final solution code you can find it on the
solution
branch of
the same repository.