From eb050f9df0536d59dc857b195fa9b9cdf2976c85 Mon Sep 17 00:00:00 2001
From: techvoyagerX <bytebender90@gmail.com>
Date: Sun, 15 Sep 2024 06:11:53 -0400
Subject: [PATCH] Add comments to sealevel attacks examples: insecure,
 recommended, and secure

---
 programs/10-sysvar-address-checking/insecure/src/lib.rs    | 3 +++
 programs/10-sysvar-address-checking/recommended/src/lib.rs | 3 +++
 programs/10-sysvar-address-checking/secure/src/lib.rs      | 2 ++
 3 files changed, 8 insertions(+)

diff --git a/programs/10-sysvar-address-checking/insecure/src/lib.rs b/programs/10-sysvar-address-checking/insecure/src/lib.rs
index ac32629..e92157e 100644
--- a/programs/10-sysvar-address-checking/insecure/src/lib.rs
+++ b/programs/10-sysvar-address-checking/insecure/src/lib.rs
@@ -7,6 +7,8 @@ pub mod insecure {
     use super::*;
 
     pub fn check_sysvar_address(ctx: Context<CheckSysvarAddress>) -> Result<()> {
+        // Simply logs the rent account's public key.
+        // No validation is performed, which can lead to attacks.
         msg!("Rent Key -> {}", ctx.accounts.rent.key().to_string());
         Ok(())
     }
@@ -14,5 +16,6 @@ pub mod insecure {
 
 #[derive(Accounts)]
 pub struct CheckSysvarAddress<'info> {
+    // Rent account is defined as an AccountInfo, allowing any account to be passed, leading to potential exploitation.
     rent: AccountInfo<'info>,
 }
diff --git a/programs/10-sysvar-address-checking/recommended/src/lib.rs b/programs/10-sysvar-address-checking/recommended/src/lib.rs
index 6491d94..c31247b 100644
--- a/programs/10-sysvar-address-checking/recommended/src/lib.rs
+++ b/programs/10-sysvar-address-checking/recommended/src/lib.rs
@@ -7,6 +7,8 @@ pub mod recommended {
     use super::*;
 
     pub fn check_sysvar_address(ctx: Context<CheckSysvarAddress>) -> Result<()> {
+        // Logs the rent account's public key.
+        // Here the rent account is properly typed as a Sysvar, ensuring it's a valid system account.
         msg!("Rent Key -> {}", ctx.accounts.rent.key().to_string());
         Ok(())
     }
@@ -14,5 +16,6 @@ pub mod recommended {
 
 #[derive(Accounts)]
 pub struct CheckSysvarAddress<'info> {
+    // Rent account is correctly specified as the Sysvar Rent, providing built-in validation.
     rent: Sysvar<'info, Rent>,
 }
diff --git a/programs/10-sysvar-address-checking/secure/src/lib.rs b/programs/10-sysvar-address-checking/secure/src/lib.rs
index fb8cb9f..b8ddec1 100644
--- a/programs/10-sysvar-address-checking/secure/src/lib.rs
+++ b/programs/10-sysvar-address-checking/secure/src/lib.rs
@@ -7,6 +7,7 @@ pub mod secure {
     use super::*;
 
     pub fn check_sysvar_address(ctx: Context<CheckSysvarAddress>) -> Result<()> {
+        // Validates that the passed rent account is actually the Sysvar Rent account by comparing its key to the system's Rent ID.
         require_eq!(ctx.accounts.rent.key(), sysvar::rent::ID);
         msg!("Rent Key -> {}", ctx.accounts.rent.key().to_string());
         Ok(())
@@ -15,5 +16,6 @@ pub mod secure {
 
 #[derive(Accounts)]
 pub struct CheckSysvarAddress<'info> {
+    // Rent account is again an AccountInfo, but manual validation is enforced to check if it matches the Sysvar Rent account.
     rent: AccountInfo<'info>,
 }