Vulnerabilities fixation

btb-finance · Nov 18, 2024 · b8f5787 · b8f5787
1 parent 1e77268
commit b8f5787
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 20 deletions.
diff --git a/programs/pda_vesting/src/error.rs b/programs/pda_vesting/src/error.rs
@@ -2,7 +2,7 @@ use anchor_lang::prelude::*;
 
 #[error_code]
 pub enum CustomError {
-    #[msg("Unauthorized: Only owner can perform this action")]
+    #[msg("Unauthorized: Only program owner/deployer can perform this action")]
     Unauthorized,
 
     #[msg("BTB price must be greater than 0")]
@@ -43,5 +43,4 @@ pub enum CustomError {
 
     #[msg("No tokens available to withdraw")]
     NoTokensToWithdraw,
-
 }
diff --git a/programs/pda_vesting/src/instructions/admin/initialize_token_config.rs b/programs/pda_vesting/src/instructions/admin/initialize_token_config.rs
@@ -16,10 +16,15 @@ pub fn process_initialize(ctx: Context<Initialize>,
     btb_price: u64, 
     vesting_price: u64
 ) -> Result<()> {
-
     require!(btb_price > 0, CustomError::ZeroBTBPrice);
     require!(vesting_price > 0, CustomError::ZeroVestingPrice);
 
+    // Validate deployer/signer is program owner
+    require!(
+        ctx.accounts.signer.key() == *ctx.program_id,
+        CustomError::Unauthorized
+    );
+
     let sale_account = &mut ctx.accounts.btb_sale_account;
     sale_account.btb = btb;
     sale_account.usdt = usdt;
@@ -29,14 +34,19 @@ pub fn process_initialize(ctx: Context<Initialize>,
     sale_account.owner_initialize_wallet = ctx.accounts.signer.key();
     sale_account.btb_price = btb_price;
     sale_account.vesting_price = vesting_price;
-    sale_account.is_sale_active = true; // Sale active by default
+    sale_account.is_sale_active = true;
     Ok(())
 }
 
 #[derive(Accounts)]
 pub struct Initialize<'info> {
-    #[account(init, payer = signer, space = 8 + 32 * 6 + 8 * 2 + 1,   
-              seeds = [b"btb-sale-account", signer.key().as_ref()], bump)]
+    #[account(
+        init, 
+        payer = signer, 
+        space = 8 + 32 * 6 + 8 * 2 + 1,   
+        seeds = [b"btb-sale-account", signer.key().as_ref()], 
+        bump
+    )]
     pub btb_sale_account: Account<'info, InitializeDataAccount>,
 
     #[account(init, payer = signer, 
@@ -49,4 +59,4 @@ pub struct Initialize<'info> {
     pub system_program: Program<'info, System>,
     pub token_program: Program<'info, Token>,
     pub associated_token_program: Program<'info, AssociatedToken>,
-}
+}
diff --git a/programs/pda_vesting/src/instructions/admin/token_administration.rs b/programs/pda_vesting/src/instructions/admin/token_administration.rs
@@ -21,9 +21,7 @@ pub fn transfer_admin(ctx: Context<TransferAdmin>, new_admin: Pubkey) -> Result<
         CustomError::Unauthorized
     );
 
-    // Update the admin
     sale_account.owner_initialize_wallet = new_admin;
-
     Ok(())
 }
 
@@ -32,32 +30,28 @@ pub fn process_toggle_sale(ctx: Context<UpdateData>) -> Result<()> {
 
     // Only owner can toggle sale status
     require!(
-        ctx.accounts.signer.key() == sale_account.owner_initialize_wallet,
+        ctx.accounts.signer.key() == sale_account.owner_initialize_wallet
+        && sale_account.owner_initialize_wallet == *ctx.program_id,
         CustomError::Unauthorized
     );
 
-    // Toggle the sale status
     sale_account.is_sale_active = !sale_account.is_sale_active;
-
     Ok(())
 }
 
 pub fn process_emergency_withdraw(ctx: Context<EmergencyWithdraw>) -> Result<()> {
     let btb_sale_account = &ctx.accounts.btb_sale_account;
 
-    // Only owner can withdraw
+    // Enhanced owner validation
     require!(
-        ctx.accounts.signer.key() == btb_sale_account.owner_initialize_wallet,
+        ctx.accounts.signer.key() == btb_sale_account.owner_initialize_wallet
+        && btb_sale_account.owner_initialize_wallet == *ctx.program_id,
         CustomError::Unauthorized
     );
 
-    // Get the current balance of BTB tokens in sale account
     let balance = ctx.accounts.btb_sale_token_account.amount;
-
-    // If balance is 0, return early
     require!(balance > 0, CustomError::NoTokensToWithdraw);
 
-    // Transfer all BTB tokens to owner's wallet
     token::transfer(
         CpiContext::new_with_signer(
             ctx.accounts.token_program.to_account_info(),
@@ -72,8 +66,8 @@ pub fn process_emergency_withdraw(ctx: Context<EmergencyWithdraw>) -> Result<()>
                 &[ctx.bumps.btb_sale_account],
             ]],
         ),
-        balance, // Transfer full balance
+        balance,
     )?;
 
     Ok(())
-}
+}