Matthias1590

**Name of the Vulnerable Software and Affected Versions** anchor-lang versions prior to 1.0.2 **Description** A logic error in the account validation process allows programs to accept any executable program ID when the system program ID is required. This occurs because the validation path for `Program<T>` used `Pubkey::default()` as a sentinel to determine if any executable account should be accepted. Since the system program ID is also the default public key, `Program<'info, System>` was incorrectly treated as an untyped program, accepting any executable account. This account validation bypass affects on-chain programs relying on the system program, potentially leading to arbitrary Cross-Program Invocations (CPI) or payment bypasses. An attacker can supply a malicious executable program instead of the system program, causing the victim program to make false assumptions regarding payments or account creation. **Recommendations** Update to anchor-lang version 1.0.2 or later.