Unable to decode event Instruction: X

[arijoon]

When using event parsers parseLogs if errorOnDecodeFailure is set to true the parser throws on the very first log which is always Program logged: "Instruction: X", X being whatever instruction is being executed. Is this an intended feature?

Additionally is it possible for another program to spoof the logs pretending to be a different program we're interested in?

[acheroncrypto]

When using event parsers parseLogs if errorOnDecodeFailure is set to true the parser throws on the very first log which is always Program logged: "Instruction: X", X being whatever instruction is being executed. Is this an intended feature?

It's most likely not the intended behavior if it always throws.

Additionally is it possible for another program to spoof the logs pretending to be a different program we're interested in?

We're essentially parsing the logs so I think it's possible to spoof it, but if you'd like to avoid that, there is event-cpi feature which requires "signing" an invocation with a PDA.

[arijoon]

We're essentially parsing the logs so I think it's possible to spoof it, but if you'd like to avoid that, there is event-cpi feature which requires "signing" an invocation with a PDA.

Oh thanks for this. I saw that feature but based on original docs assumed its only used to guarantee its available when logs are truncated. If that is far more secure then would certainly opt for it. Assuming it can be parsed with the Anchor event parser in a similar way or it needs to be parsed differently?

[acheroncrypto]

It needs to be parsed differently because it's not log based like the normal events. Here is an example:

anchor/tests/events/tests/events.ts

Lines 58 to 62 in 216b56e

	const ixData = anchor.utils.bytes.bs58.decode(
	txResult.meta.innerInstructions[0].instructions[0].data
	);
	const eventData = anchor.utils.bytes.base64.encode(ixData.slice(8));
	const event = program.coder.events.decode(eventData);

[arijoon]

It needs to be parsed differently because it's not log based like the normal events. Here is an example:

Thanks a lot this is much appreciated, indeed the event in the tx data looks a lot more secure than just parsing logs. One final question. Is checking the innerInstructions and ensuring account (__event_authority of our program) and programId are correct, then parsing the data enough to guarantee no other program could have spoofed this? Basically wondering if any other program can cause this cpi into our program (which has the event) without going through the top level instructions and somehow emit this CPI inner tx?

[acheroncrypto]

Is checking the innerInstructions and ensuring account (__event_authority of our program) and programId are correct, then parsing the data enough to guarantee no other program could have spoofed this?

Yes, checking those accounts should be enough because the event authority needs to "sign" to make self-CPI work.

Basically wondering if any other program can cause this cpi into our program (which has the event) without going through the top level instructions and somehow emit this CPI inner tx?

They shouldn't be able to do this because of the same reason above, the event authority needs to "sign" the invocation. We also have a test for this case:

anchor/tests/events/tests/events.ts

Lines 69 to 101 in 216b56e

	it("Throws on unauthorized invocation", async () => {
	const tx = new anchor.web3.Transaction();
	tx.add(
	new anchor.web3.TransactionInstruction({
	programId: program.programId,
	keys: [
	{
	pubkey: anchor.web3.PublicKey.findProgramAddressSync(
	[Buffer.from("__event_authority")],
	program.programId
	)[0],
	isSigner: false,
	isWritable: false,
	},
	{
	pubkey: program.programId,
	isSigner: false,
	isWritable: false,
	},
	],
	data: Buffer.from([0xe4, 0x45, 0xa5, 0x2e, 0x51, 0xcb, 0x9a, 0x1d]),
	})
	);
	try {
	await program.provider.sendAndConfirm(tx, []);
	} catch (e) {
	if (e.logs.some((log) => log.includes("ConstraintSigner"))) return;
	console.log(e);
	}
	throw new Error("Was able to invoke the self-CPI instruction");
	});