F-2026-0005·missing-functionality
Missing cancellation mechanism for pending transfers leads to operational inflexibility
TL;DR
The two-step authority and withdrawal-signer transfer pattern lacks a cancellation instruction. A nominated transfer cannot be revoked, only overwritten.
Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description
Description
The two-step transfer pattern for authority and withdrawal_signer lacks a cancellation mechanism. Once a nomination is initiated, the current authority cannot revoke it, they can only overwrite it with a different nomination. This creates operational inflexibility if a nomination was made in error.
03Section · Recommendation
Recommendation
Add cancellation instructions:
rust
pub fn cancel_pending_authority(ctx: Context<CancelPending>) -> Result<()> {let transfers = &mut ctx.accounts.pending_transfers;transfers.pending_authority = Pubkey::default();msg!("Pending authority transfer cancelled");Ok(())}
04Section · Resolution
Resolution
Fair Casino: Fixed.
Zealynx: Verified.
Status
Fixed
