From 856c48541f958d9c8169d6f93be92d6837c9e92a Mon Sep 17 00:00:00 2001
From: Greg Fitzgerald <greg@solana.com>
Date: Wed, 17 Oct 2018 23:28:13 -0600
Subject: [PATCH] Restore elaborate attack

The test is showing how you can sneak by verify_plan() but not
verify_signature().
---
 src/budget_transaction.rs | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/budget_transaction.rs b/src/budget_transaction.rs
index 1fcec3d342..3c5c721135 100644
--- a/src/budget_transaction.rs
+++ b/src/budget_transaction.rs
@@ -317,14 +317,19 @@ mod tests {
         let keypair = Keypair::new();
         let pubkey = keypair.pubkey();
         let mut tx = Transaction::budget_new(&keypair, pubkey, 42, zero);
-        let mut instruction = tx.instruction(1).unwrap();
-        if let Instruction::NewBudget(ref mut budget) = instruction {
-            if let Budget::Pay(ref mut payment) = budget {
-                payment.tokens = 1_000_000; // <-- attack!
+        let mut system_instruction = tx.system_instruction(0).unwrap();
+        if let SystemProgram::Move { ref mut tokens } = system_instruction {
+            *tokens = 1_000_000; // <-- attack, part 1!
+            let mut instruction = tx.instruction(1).unwrap();
+            if let Instruction::NewBudget(ref mut budget) = instruction {
+                if let Budget::Pay(ref mut payment) = budget {
+                    payment.tokens = *tokens; // <-- attack, part 2!
+                }
             }
+            tx.instructions[1].userdata = serialize(&instruction).unwrap();
         }
-        tx.instructions[1].userdata = serialize(&instruction).unwrap();
-        assert!(!tx.verify_plan());
+        tx.instructions[0].userdata = serialize(&system_instruction).unwrap();
+        assert!(tx.verify_plan());
         assert!(!tx.verify_signature());
     }