@exodus/solana-lib 3.15.2 → 3.16.0

package/CHANGELOG.md

@@ -3,6 +3,26 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [3.16.0](https://github.com/ExodusMovement/assets/compare/@exodus/solana-lib@3.15.3...@exodus/solana-lib@3.16.0) (2025-11-11)
+
+
+### Features
+
+
+* feat: Solana support Close Authority Sponsorship in fee payer (#6767)
+
+
+
+## [3.15.3](https://github.com/ExodusMovement/assets/compare/@exodus/solana-lib@3.15.1...@exodus/solana-lib@3.15.3) (2025-11-06)
+
+
+### Bug Fixes
+
+
+* fix: overly strict transaction comparison in fee payer verification (#6785)
+
+
+
 ## [3.15.2](https://github.com/ExodusMovement/assets/compare/@exodus/solana-lib@3.15.1...@exodus/solana-lib@3.15.2) (2025-11-04)
 
 **Note:** Version bump only for package @exodus/solana-lib

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@exodus/solana-lib",
-  "version": "3.15.2",
+  "version": "3.16.0",
   "description": "Solana utils, such as for cryptography, address encoding/decoding, transaction building, etc.",
   "type": "module",
   "main": "src/index.js",
@@ -47,5 +47,5 @@
     "type": "git",
     "url": "git+https://github.com/ExodusMovement/assets.git"
   },
-  "gitHead": "c327da082bf6b55c270d4ab754c2abdc73e0a8de"
+  "gitHead": "e8b0a919196eda921b8bc532f5632180c2bef508"
 }

package/src/constants.js

@@ -36,3 +36,22 @@ export const LAMPORTS_PER_SOL = 1_000_000_000
 export const SOL_DECIMAL = Math.log10(LAMPORTS_PER_SOL)
 
 export const SUPPORTED_TRANSACTION_VERSIONS = new Set(['legacy', 0])
+
+export const SPL_TOKEN_AUTHORITY_TYPE = {
+  MINT_TOKENS: 0,
+  FREEZE_ACCOUNT: 1,
+  ACCOUNT_OWNER: 2,
+  CLOSE_ACCOUNT: 3,
+}
+
+export const SPL_TOKEN_INSTRUCTION_TYPE = {
+  INITIALIZE_MINT: 0,
+  INITIALIZE_ACCOUNT: 1,
+  INITIALIZE_MULTISIG: 2,
+  TRANSFER: 3,
+  APPROVE: 4,
+  REVOKE: 5,
+  SET_AUTHORITY: 6,
+  MINT_TO: 7,
+  BURN: 8,
+}

package/src/tx/verify-only-fee-payer-changed.js

@@ -1,7 +1,12 @@
 import lodash from 'lodash'
 import assert from 'minimalistic-assert'
 
-import { TOKEN_2022_PROGRAM_ID, TOKEN_PROGRAM_ID } from '../constants.js'
+import {
+  SPL_TOKEN_AUTHORITY_TYPE,
+  SPL_TOKEN_INSTRUCTION_TYPE,
+  TOKEN_2022_PROGRAM_ID,
+  TOKEN_PROGRAM_ID,
+} from '../constants.js'
 import { ASSOCIATED_TOKEN_PROGRAM_ID } from '../helpers/spl-token.js'
 import { SYSVAR_RENT_PUBKEY } from '../vendor/index.js'
 
@@ -19,16 +24,16 @@ export function verifyOnlyFeePayerChanged(beforeTx, afterTx) {
     )
   })
   assert(
-    beforeTx.message.accountKeys.length + 1 === afterTx.message.accountKeys.length,
-    'Fee payer account key was not added'
+    beforeTx.message.accountKeys.length <= afterTx.message.accountKeys.length,
+    'Account keys were removed'
   )
   assert(
     beforeTx.message.accountKeys.every(
       (beforeAccountKey) => !lodash.isEqual(beforeAccountKey, afterTx.message.accountKeys[0])
     ),
-    'Fee payer account key was not added'
+    'Fee payer account key was not added as first account'
   )
-  beforeTx.message.accountKeys.forEach((accountKey, index) => {
+  beforeTx.message.accountKeys.forEach((accountKey) => {
     assert(
       afterTx.message.accountKeys.some((afterAccountKey) =>
         lodash.isEqual(accountKey, afterAccountKey)
@@ -37,69 +42,152 @@ export function verifyOnlyFeePayerChanged(beforeTx, afterTx) {
     )
   })
 
-  assert(
-    beforeTx.message.instructions.length === afterTx.message.instructions.length,
-    'No new instructions are allowed'
-  )
+  const originalInstructionCount = beforeTx.message.instructions.length
+  const sponsoredInstructionCount = afterTx.message.instructions.length
+  assert(originalInstructionCount <= sponsoredInstructionCount, 'Instructions were removed')
+
+  beforeTx.message.instructions.forEach((instruction, index) => {
+    const afterInstruction = afterTx.message.instructions[index]
 
-  beforeTx.message.instructions.forEach(({ programIdIndex }, index) => {
     assert(
       lodash.isEqual(
-        beforeTx.message.accountKeys[beforeTx.message.instructions[index].programIdIndex],
-        afterTx.message.accountKeys[afterTx.message.instructions[index]?.programIdIndex]
+        beforeTx.message.accountKeys[instruction.programIdIndex],
+        afterTx.message.accountKeys[afterInstruction.programIdIndex]
       ),
-      'Instructions program ids were not updated'
+      'Instructions program ids were not updated correctly'
     )
-  })
 
-  beforeTx.message.instructions.forEach(({ accounts }, index) => {
-    const programId =
-      beforeTx.message.accountKeys[beforeTx.message.instructions[index].programIdIndex].toString()
-    const isATAProgram =
-      programId === TOKEN_PROGRAM_ID.toString() ||
-      programId === TOKEN_2022_PROGRAM_ID.toString() ||
-      programId === ASSOCIATED_TOKEN_PROGRAM_ID.toString()
-    const accountsPublicKeys = accounts.map((id) => beforeTx.message.accountKeys[id])
-    const containsRentSysvar = accountsPublicKeys.some(
-      (publicKey) => publicKey.toString() === SYSVAR_RENT_PUBKEY.toString()
+    assert(
+      lodash.isEqual(instruction.data, afterInstruction.data),
+      'Fee payer service modified instruction data unexpectedly'
     )
 
-    const afterAccountsPublicKeys = afterTx.message.instructions[index].accounts.map(
-      (id) => afterTx.message.accountKeys[id]
-    )
+    const beforeAccounts = instruction.accounts.map((id) => beforeTx.message.accountKeys[id])
+    const afterAccounts = afterInstruction.accounts.map((id) => afterTx.message.accountKeys[id])
+
+    const programId = beforeTx.message.accountKeys[instruction.programIdIndex].toString()
+
+    const containsRentSysvar = beforeAccounts.some((publicKey) => {
+      const keyStr = publicKey?.toString ? publicKey.toString() : String(publicKey)
+      return keyStr === SYSVAR_RENT_PUBKEY.toString()
+    })
 
-    if (containsRentSysvar && isATAProgram) {
-      const adjustedAccountsPublicKeys = [...accountsPublicKeys]
-      adjustedAccountsPublicKeys[0] = afterTx.message.accountKeys[0] // replace with the new fee payer
+    if (containsRentSysvar && isATAProgram(programId)) {
+      const adjustedBeforeAccounts = [...beforeAccounts]
+      adjustedBeforeAccounts[0] = afterTx.message.accountKeys[0]
       assert(
-        lodash.isEqual(adjustedAccountsPublicKeys, afterAccountsPublicKeys),
-        'Instructions account key indexes were not updated'
+        lodash.isEqual(adjustedBeforeAccounts, afterAccounts),
+        'Instruction account keys were not updated correctly'
       )
     } else {
       assert(
-        lodash.isEqual(accountsPublicKeys, afterAccountsPublicKeys),
-        'Instructions account key indexes were not updated'
+        lodash.isEqual(beforeAccounts, afterAccounts),
+        'Instruction account keys were not updated correctly'
       )
     }
   })
 
-  beforeTx.message.instructions.forEach((instruction, index) => {
-    assert(
-      lodash.isEqual(
-        { ...instruction, accounts: null, programIdIndex: null },
-        {
-          ...afterTx.message.instructions[index],
-          accounts: null,
-          programIdIndex: null,
-        }
-      ),
-      'Instructions do not match in some attributes'
-    )
-  })
+  // If there are appended instructions, validate they are SetAuthority(CloseAccount)
+  if (sponsoredInstructionCount > originalInstructionCount) {
+    const expectedProtectedAccounts = getTokenAccountCreations(beforeTx)
+    const appendedCount = sponsoredInstructionCount - originalInstructionCount
 
-  afterTx.message.indexToProgramIds.forEach((value, key) => {
-    assert(afterTx.message.accountKeys[key] === value, 'IndexToProgramIds do not match accountKeys')
-  })
+    // If token accounts are being created, verify exact count match
+    if (expectedProtectedAccounts.length > 0) {
+      // Zero-trust mode: Server should add exactly one SetAuthority per sponsored token account
+      assert(
+        appendedCount === expectedProtectedAccounts.length,
+        `Expected ${expectedProtectedAccounts.length} SetAuthority instructions for created token accounts, but got ${appendedCount}`
+      )
+    }
+
+    const protectedAccountsMap = new Map()
+
+    for (let i = originalInstructionCount; i < sponsoredInstructionCount; i++) {
+      const instruction = afterTx.message.instructions[i]
+      const programId = afterTx.message.accountKeys[instruction.programIdIndex]
+
+      assert(
+        isTokenProgram(programId),
+        `Appended instruction ${i - originalInstructionCount + 1} is not from a token program`
+      )
+
+      const data = instruction.data
+      assert(
+        data && data.length > 0,
+        `Appended instruction ${i - originalInstructionCount + 1} has no data`
+      )
+
+      const instructionType = data[0]
+      assert(
+        instructionType === SPL_TOKEN_INSTRUCTION_TYPE.SET_AUTHORITY,
+        `Appended instruction ${i - originalInstructionCount + 1} is not SetAuthority`
+      )
+
+      assert(
+        data.length >= 35,
+        `Appended instruction ${i - originalInstructionCount + 1} has invalid SetAuthority data length`
+      )
+
+      const authorityType = data[1]
+      const hasNewAuthority = data[2]
+
+      assert(
+        authorityType === SPL_TOKEN_AUTHORITY_TYPE.CLOSE_ACCOUNT,
+        `Appended instruction ${i - originalInstructionCount + 1} is not for CloseAccount authority`
+      )
+
+      assert(
+        hasNewAuthority === 1,
+        `Appended instruction ${i - originalInstructionCount + 1} does not set a new authority`
+      )
+
+      assert(
+        instruction.accounts && instruction.accounts.length > 0,
+        `Appended instruction ${i - originalInstructionCount + 1} has no target account`
+      )
+
+      const targetAccountIndex = instruction.accounts[0]
+      const targetAccount = afterTx.message.accountKeys[targetAccountIndex].toString()
+
+      if (expectedProtectedAccounts.length > 0) {
+        // Find matching created account
+        const expectedAccount = expectedProtectedAccounts.find((exp) => {
+          return exp.account.toString() === targetAccount
+        })
+
+        assert(expectedAccount, `SetAuthority targets unexpected account: ${targetAccount}`)
+
+        // Verify using correct token program for this account
+        const expectedTokenProgram = expectedAccount.tokenProgram
+        assert(
+          programId.toString() === expectedTokenProgram.toString(),
+          `SetAuthority uses wrong token program for account ${targetAccount}`
+        )
+
+        assert(
+          !protectedAccountsMap.has(targetAccount),
+          `Duplicate SetAuthority for account ${targetAccount}`
+        )
+        protectedAccountsMap.set(targetAccount, true)
+      }
+    }
+
+    if (expectedProtectedAccounts.length > 0) {
+      assert(
+        protectedAccountsMap.size === expectedProtectedAccounts.length,
+        'Not all created token accounts received SetAuthority protection'
+      )
+    }
+  }
+
+  if (afterTx.message.indexToProgramIds) {
+    afterTx.message.indexToProgramIds.forEach((value, key) => {
+      const accountKey = afterTx.message.accountKeys[key]
+      const matches = accountKey?.equals ? accountKey.equals(value) : accountKey === value
+      assert(matches, 'IndexToProgramIds do not match accountKeys')
+    })
+  }
 
   assert(
     lodash.isEqual(
@@ -122,14 +210,24 @@ export function verifyOnlyFeePayerChanged(beforeTx, afterTx) {
     lodash.isEqual(
       {
         ...beforeTx.message,
-        header: { ...beforeTx.message.header, numRequiredSignatures: null },
+        header: {
+          ...beforeTx.message.header,
+          numRequiredSignatures: null,
+          numReadonlySignedAccounts: null,
+          numReadonlyUnsignedAccounts: null,
+        },
         accountKeys: null,
         instructions: null,
         indexToProgramIds: null,
       },
       {
         ...afterTx.message,
-        header: { ...afterTx.message.header, numRequiredSignatures: null },
+        header: {
+          ...afterTx.message.header,
+          numRequiredSignatures: null,
+          numReadonlySignedAccounts: null,
+          numReadonlyUnsignedAccounts: null,
+        },
         accountKeys: null,
         instructions: null,
         indexToProgramIds: null,
@@ -138,3 +236,61 @@ export function verifyOnlyFeePayerChanged(beforeTx, afterTx) {
     'Transactions do not match in some attributes'
   )
 }
+
+function isTokenProgram(programId) {
+  const programIdStr = programId.toString()
+  return (
+    programIdStr === TOKEN_PROGRAM_ID.toString() ||
+    programIdStr === TOKEN_2022_PROGRAM_ID.toString()
+  )
+}
+
+function isATAProgram(programId) {
+  const programIdStr = programId.toString()
+  return isTokenProgram(programId) || programIdStr === ASSOCIATED_TOKEN_PROGRAM_ID.toString()
+}
+
+function getTokenAccountCreations(transaction) {
+  const createdAccounts = []
+
+  transaction.message.instructions.forEach((instruction, index) => {
+    const programId = transaction.message.accountKeys[instruction.programIdIndex].toString()
+
+    // Check for ATA creation (Associated Token Account Program)
+    if (
+      programId === ASSOCIATED_TOKEN_PROGRAM_ID.toString() && // For ATA creation, the new account is typically at index 1
+      // Index 0 is payer, Index 1 is the ATA being created, Index 5 is the token program
+      instruction.accounts?.length >= 2
+    ) {
+      const ataIndex = instruction.accounts[1]
+      const tokenProgramIndex = instruction.accounts.length > 5 ? instruction.accounts[5] : null
+
+      createdAccounts.push({
+        accountIndex: ataIndex,
+        account: transaction.message.accountKeys[ataIndex],
+        tokenProgram: tokenProgramIndex
+          ? transaction.message.accountKeys[tokenProgramIndex]
+          : TOKEN_PROGRAM_ID,
+      })
+    }
+
+    // Check for InitializeAccount instruction (classic token account creation)
+    if (isTokenProgram(programId)) {
+      const data = instruction.data
+
+      if (
+        data?.length > 0 &&
+        data[0] === SPL_TOKEN_INSTRUCTION_TYPE.INITIALIZE_ACCOUNT &&
+        instruction.accounts?.length > 0
+      ) {
+        createdAccounts.push({
+          accountIndex: instruction.accounts[0],
+          account: transaction.message.accountKeys[instruction.accounts[0]],
+          tokenProgram: programId,
+        })
+      }
+    }
+  })
+
+  return createdAccounts
+}