MOD_07 // ARBITRARY_CPI
The Tip Jar Heist — Pass a fake program ID for CPI calls
THE VULNERABILITY
A tip jar accepts SOL via CPI to System Program. The bug: system_program is an unchecked AccountInfo.
VULNERABLE
/// CHECK: No validation!
pub system_program: AccountInfo SECURE
// Auto-validated!
pub system_program: Program<System>CONTROL PANEL
Connect wallet to interact
TIP JAR
BALANCE
---
SOL
TOTAL TIPS RECORDED
--- SOL
EXPLOIT STATS
0
Attempts
0
Blocked