Insufficient Account Constraints

A broad vulnerability category in Anchor programs where the account struct's constraint annotations — such as has_one, constraint = expr, seeds, bump, mint, authority, and token::mint — are missing or incomplete, allowing callers to supply accounts that pass deserialization and ownership checks but violate the program's intended relationships. For example, omitting has_one = authority on a vault account means any account can be passed as the authority; omitting mint = token_account.mint on an SPL token account means a different mint's token account could be substituted. Thorough Anchor account structs should declare every meaningful relationship between accounts as a typed constraint.