#0x5C

systemic Inadequate CPI Target Program and Owner/Signer Validation Across Multiple Jupiter Programs

@brudasubmitted a report toJupiterMay 17, 2026 at 01:39

Severity	INFORMATIONAL
CVSS	9.8`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Vulnerability Type	Insecure Direct Object Reference (IDOR)
Asset	JUP7pNXFL1G2BESRYMtZ1jepzfDQVffkkkf5JhXWWhC - Jupiter Aggregator

Description

Multiple Jupiter programs use UncheckedAccount for critical target program accounts (e.g., liquidity_program in flashloan payback) with only comment-based or indirect checks. This allows an attacker to supply a malicious program account, bypassing expected CPI validation and enabling unauthorized state changes, unpaid flashloans, or collateral movement.

Steps to Reproduce

On a local mainnet fork, clone the relevant programs (Lend flashloan + at least one other affected program).
Craft a transaction that calls the vulnerable instruction (e.g., flashloan_payback) while substituting a dummy/malicious program account for the expected liquidity_program or equivalent.
Observe that the expected validation is bypassed, allowing the attacker to complete the call without performing the required transfer or state change.
Demonstrate the same pattern (or a close variant) in at least one additional program (Perps keeper or Swap routing path).

Impact

Direct theft or movement of user/protocol funds across multiple high-TVL products (Lend, Perps, Swap). Can lead to protocol insolvency or large-scale user losses. Affects several programs that were only analyzed individually in prior audits.