The Confused Deputy Problem in Solana CPIs: 5 Patterns That Get Programs Drained

Every month, another Solana program gets drained through a Cross-Program Invocation (CPI) vulnerability. Not because the concept is hard — because the defaults are dangerous and the failure modes are subtle. This article breaks down the five most common CPI vulnerability patterns I see in Solana program audits, with real Anchor code showing both the broken and fixed versions. If you write or audit Solana programs, bookmark this. Why CPIs Are Solana's Biggest Attack Surface On Solana, programs are stateless. They don't store data internally — they operate on accounts passed in by the caller. When Program A calls Program B via CPI, it forwards accounts along with the call. Here's the catch: signer privileges travel with the accounts . This creates a class of vulnerabilities called confused deputy attacks — where your program acts as an unwitting intermediary, using its authority on behalf of an attacker. Pattern 1: Unverified Program ID in CPI Target The most basic and most devastating p