CVE-2022-35917

Name of the Vulnerable Software and Affected Versions Solana Pay versions prior to 0.2.1

Description Solana Pay is a protocol that enables developers to incorporate decentralized payments into their apps and services. When a Solana Pay transaction is located using a reference key, it may be checked to represent a transfer of the desired amount to the recipient, using the supplied validateTransfer function. An edge case regarding this mechanism could cause the validation logic to validate multiple transfers. Most known Solana Pay point of sale applications are currently run on physical point of sale devices, which makes this issue unlikely to occur. However, there may be web-based point of sale applications using the protocol where it may be more likely to occur.

Recommendations For versions prior to 0.2.1, upgrade to version 0.2.1 to resolve the issue. As a temporary workaround, consider restricting the use of the validateTransfer function until the patch is applied. There are no known workarounds for this issue other than upgrading to the patched version.