#0x1C

Missing Access Control Allows Unauthorized Root Escrow Funding

@coleflumpussubmitted a report toJupiterApril 7, 2026 at 23:06

Severity	INFORMATIONAL
CVSS	5.3`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N`
Vulnerability Type	Improper Access Control
Asset	LocpQgucEQHbqNABEYvBvwoxCPsSbG91A1QaQhQQqjn - Jupiter Lock
Endpoint	`https://github.com/jup-ag/jup-lock%20(programs/locker/src/instructions/root_escrow_instructions/fund_root_escrow.rs,%20lines%2035-75)`

Description

Summary

The fund_root_escrow instruction lacks access control checks, allowing any user to fund any root escrow regardless of whether they created it. This enables griefing and front-running attacks.

Technical Details

Affected component: programs/locker/src/instructions/root_escrow_instructions/fund_root_escrow.rs
Vulnerability type: Missing Access Control
Root cause: No has_one = creator constraint or equivalent check on the funding instruction. Any wallet can call fund_root_escrow for any existing root escrow.

Steps to Reproduce

Identify an existing root escrow created by another user
Call fund_root_escrow with the target escrow's address from an unauthorized wallet
Fund the escrow with tokens
Observe that the transaction succeeds despite the caller not being the escrow creator

Expected behavior: Only the escrow creator (or authorized parties) should be able to fund a root escrow.

Actual behavior: Any user can fund any root escrow. While extra tokens may simply remain unclaimed after vesting completes, unwanted funding could interfere with distribution tracking or bookkeeping for the escrow creator.

Impact

An attacker could grief escrow creators by funding escrows with unwanted amounts, potentially disrupting token distribution tracking.

Affected users/data: All root escrow creators are affected. No direct fund loss, but distribution logic can be disrupted.

Business impact: Griefing vector that could disrupt token vesting operations. Note that griefing costs the attacker real tokens, which limits practical exploitation.

Severity justification: Rated MEDIUM (CVSS 5.3) because while there is no direct fund loss, it is a clear access control violation that enables griefing. The cost to the attacker (spending their own tokens) limits the severity.

Activity

@raccoonsclosed the report asInformative

Apr 8

Hi @coleflumpus, Thank you for the report. We've reviewed this and are closing it as Informational. While it is correct that fund_root_escrow does not restrict callers to the escrow creator, this is by design and does not constitute an exploitable vulnerability: 1. The caller transfers tokens from their own wallet - there is no path to drain or redirect funds belonging to the escrow creator. 2. The funded amount is bounded by max_claim_amount - total_funded_amount, preventing overfunding beyond the intended cap. 3. The practical impact is a griefing vector that costs the attacker real tokens with no material benefit. Allowing permissionless funding is an intentional design choice to support use cases where multiple parties (e.g., DAOs, treasuries) may contribute to the same escrow. We appreciate you looking into this. While it doesn't meet the bar for a rewarded finding, we value your interest in the security of Jupiter Lock.

@raccoonschanged the severity frommediumtoinformational

6d ago

@raccoonsdisclosed this reportPublic Disclosure

4d ago

Properties

Status

INFORMATIVE

Severity

INFORMATIONAL

Reporter

@coleflumpus

Program

Jupiter