[Anchor] Instance can be poisoned briefly after uploading the program

[ruuda]

For the Anker program, we are planning to do this:

• The Anker instance lives at a program-derived address, derived from the Anker program address, and the Solido instance address.
• The mint addresses for UST and bSOL get passed in at initialization.

This briefly exposes one potential attack vector in the time window between uploading the program and initializing the instance:

• We upload the program, but don’t initialize the instance yet.
• Before we are able to initialize the instance, somebody else does it, passing in the wrong token address for UST.
• Now we have a poisoned instance, and we can’t create a new one because the address is fixed.

I don’t think this is a big problem because:

• We can sidestep the problem by uploading the program to a new address, it will have a new instance address as well. So in the worst case, somebody could make us waste the rent for the program. (And we could reclaim that.)
• To exploit, somebody would have to be monitoring the chain for uploaded programs and quickly call initialize in the right way. That would be a lot of work and very targeted, for just this small impact.
• It is only exploitable in a small time window between uploading the program and initializing the instance.

One mitigation would be to hard-code the address that is allowed to call initialize, however, that makes the program more difficult to test, and such complications also mean there are more opportunities for bugs to hide. So I would leave this unmitigated; it is only a problem before initialization.

Either way, I’m writing this down for future reference, to acknowledge that this is a known issue.