- Addresses a critical vulnerability that could lead to the unauthorized access of Operator assets. This release introduces a new verification step during the creation of Holder accounts. These accounts can now only be generated using the CreateWithSeed(base, seed, programId) approach. It is vital to note that the format of the HolderCreate instruction has undergone modifications, with the addition of seed-based data and its length. This binary data structure aligns with the system instruction SystemProgram::CreateAccountWithSeed. The potential attack scenario involves intercepting accounts created by Neon EVM during iterative transactions. Specifically, accounts are are designed to accommodate extensive contracts deployed during a transaction. Neon EVM expands the size of these accounts over multiple Solana transactions due to the platform’s 10kB resizing limitation for PDA accounts. The attacker’s strategy involves specifying instructions for creating a Holder account once the account exists but remains uninitialized. This allows them to withdraw the stored LAMPORTs after closing the account.