@exodus/solana-lib 3.15.3 → 3.17.0

package/CHANGELOG.md

@@ -3,6 +3,26 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [3.17.0](https://github.com/ExodusMovement/assets/compare/@exodus/solana-lib@3.15.3...@exodus/solana-lib@3.17.0) (2025-11-13)
+
+
+### Features
+
+
+* feat: Solana support Close Authority Sponsorship in fee payer (#6767)
+
+
+
+## [3.16.0](https://github.com/ExodusMovement/assets/compare/@exodus/solana-lib@3.15.3...@exodus/solana-lib@3.16.0) (2025-11-11)
+
+
+### Features
+
+
+* feat: Solana support Close Authority Sponsorship in fee payer (#6767)
+
+
+
 ## [3.15.3](https://github.com/ExodusMovement/assets/compare/@exodus/solana-lib@3.15.1...@exodus/solana-lib@3.15.3) (2025-11-06)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@exodus/solana-lib",
-  "version": "3.15.3",
+  "version": "3.17.0",
   "description": "Solana utils, such as for cryptography, address encoding/decoding, transaction building, etc.",
   "type": "module",
   "main": "src/index.js",
@@ -47,5 +47,5 @@
     "type": "git",
     "url": "git+https://github.com/ExodusMovement/assets.git"
   },
-  "gitHead": "4ed7fb1a57f5d2728f3e491f023144a4ccf3a1d4"
+  "gitHead": "6a39e3cdbf3bf1849d6d4aae8e935588332d92ac"
 }

package/src/constants.js

@@ -36,3 +36,22 @@ export const LAMPORTS_PER_SOL = 1_000_000_000
 export const SOL_DECIMAL = Math.log10(LAMPORTS_PER_SOL)
 
 export const SUPPORTED_TRANSACTION_VERSIONS = new Set(['legacy', 0])
+
+export const SPL_TOKEN_AUTHORITY_TYPE = {
+  MINT_TOKENS: 0,
+  FREEZE_ACCOUNT: 1,
+  ACCOUNT_OWNER: 2,
+  CLOSE_ACCOUNT: 3,
+}
+
+export const SPL_TOKEN_INSTRUCTION_TYPE = {
+  INITIALIZE_MINT: 0,
+  INITIALIZE_ACCOUNT: 1,
+  INITIALIZE_MULTISIG: 2,
+  TRANSFER: 3,
+  APPROVE: 4,
+  REVOKE: 5,
+  SET_AUTHORITY: 6,
+  MINT_TO: 7,
+  BURN: 8,
+}

package/src/tx/parse-tx-buffer.js

@@ -1,28 +1,36 @@
 import BN from 'bn.js'
 import bs58 from 'bs58'
 
-import { COMPUTE_BUDGET_PROGRAM_ID, SYSTEM_PROGRAM_ID, TOKEN_PROGRAM_ID } from '../constants.js'
+import { SYSTEM_PROGRAM_ID, TOKEN_2022_PROGRAM_ID, TOKEN_PROGRAM_ID } from '../constants.js'
+import { SYSTEM_INSTRUCTION_LAYOUTS, TOKEN_INSTRUCTION_LAYOUTS } from '../vendor/index.js'
 import { deserializeTransaction } from './common.js'
 
-function decodeSPLTransferData(base58Data) {
-  const buffer = bs58.decode(base58Data)
+function decodeSPLTransferData(data) {
+  // Data is already normalized to Buffer in normalizeInstruction
+  if (data.length < 9) throw new Error('Instruction data too short for SPL transfer')
 
-  // 1 byte
-  if (buffer[0] !== 3) {
-    throw new Error(`Unsupported instruction type: ${buffer[0]}`)
+  const instructionType = data[0]
+  const amountBytes = data.slice(1, 9)
+  const amountBN = new BN(amountBytes, 'le')
+
+  if (instructionType === TOKEN_INSTRUCTION_LAYOUTS.Transfer.index) {
+    return { amount: amountBN, method: 'transfer' }
   }
 
-  const amountBytes = buffer.slice(1, 9)
-  const amountBN = new BN(amountBytes, 'le')
+  if (instructionType === TOKEN_INSTRUCTION_LAYOUTS.TransferChecked.index) {
+    if (data.length < 10) throw new Error('Instruction data too short for transferChecked')
+    const decimals = data[9]
+    return { amount: amountBN, method: 'transferChecked', decimals }
+  }
 
-  return { amount: amountBN, method: 'transfer' }
+  throw new Error(`Unsupported instruction type: ${instructionType}`)
 }
 
-function decodeSystemTransferData(base58Data) {
-  const buffer = bs58.decode(base58Data)
+function decodeSystemTransferData(data) {
+  const buffer = Buffer.from(data)
 
-  // 4 bytes
-  if (buffer.readUInt32LE(0) !== 2) {
+  // 4 bytes - instruction type must be 2 (Transfer)
+  if (buffer.readUInt32LE(0) !== SYSTEM_INSTRUCTION_LAYOUTS.Transfer.index) {
     throw new Error(`Unsupported instruction type for SystemProgram: ${buffer.readUInt32LE(0)}`)
   }
 
@@ -35,29 +43,38 @@ function decodeSystemTransferData(base58Data) {
   }
 }
 
-// TODO support more tx types/options
-export function isTokenTransfer(tx) {
-  const { message } = tx
-  const { accountKeys, instructions } = message
+// Helper function to check if an instruction is a token transfer
+function isTokenTransferInstruction(instruction, accountKeys) {
+  if (!instruction || instruction.programIdIndex === undefined) return false
 
-  if (!Array.isArray(accountKeys) || accountKeys.length !== 6) return false
-  if (!Array.isArray(instructions) || instructions.length !== 3) return false
+  const programId = accountKeys[instruction.programIdIndex]
 
-  const [ix1, ix2, ix3] = instructions
-  if (
-    !accountKeys[ix1.programIdIndex].equals(COMPUTE_BUDGET_PROGRAM_ID) ||
-    !accountKeys[ix2.programIdIndex].equals(COMPUTE_BUDGET_PROGRAM_ID)
-  ) {
+  if (!programId.equals(TOKEN_PROGRAM_ID) && !programId.equals(TOKEN_2022_PROGRAM_ID)) {
     return false
   }
 
-  if (!accountKeys[ix3.programIdIndex].equals(TOKEN_PROGRAM_ID)) return false
-
-  if (!Array.isArray(ix3.accounts) || ix3.accounts.length !== 3) return false
+  // Must have at least 3 accounts (from, to, authority, and potentially more for delegate transfers)
+  if (!Array.isArray(instruction.accounts) || instruction.accounts.length < 3) {
+    return false
+  }
 
+  // Check if the instruction data is transfer (0x03) or transferChecked (0x0c/12)
+  // Note: Must handle both formats because this is called from isTokenTransfer()
+  // which uses non-normalized instructions
   try {
-    const data = bs58.decode(ix3.data)
-    if (data[0] !== 0x03) return false
+    let data = instruction.data
+    if (typeof data === 'string') {
+      data = bs58.decode(data)
+    }
+
+    const instructionType = data[0]
+    // Accept both Transfer and TransferChecked
+    if (
+      instructionType !== TOKEN_INSTRUCTION_LAYOUTS.Transfer.index &&
+      instructionType !== TOKEN_INSTRUCTION_LAYOUTS.TransferChecked.index
+    ) {
+      return false
+    }
   } catch {
     return false
   }
@@ -65,28 +82,40 @@ export function isTokenTransfer(tx) {
   return true
 }
 
-export function isSolanaTransfer(tx) {
+export function isTokenTransfer(tx) {
   const { message } = tx
   const { accountKeys, instructions } = message
 
-  if (!Array.isArray(accountKeys) || accountKeys.length !== 5) return false
-  if (!Array.isArray(instructions) || instructions.length !== 3) return false
+  if (!Array.isArray(accountKeys) || !Array.isArray(instructions)) return false
 
-  if (
-    !accountKeys[instructions[0].programIdIndex].equals(COMPUTE_BUDGET_PROGRAM_ID) ||
-    !accountKeys[instructions[1].programIdIndex].equals(COMPUTE_BUDGET_PROGRAM_ID)
-  ) {
-    return false
-  }
+  // Search for any token transfer instruction
+  return instructions.some((instruction) => isTokenTransferInstruction(instruction, accountKeys))
+}
+
+// Helper function to check if an instruction is a SOL transfer
+function isSolTransferInstruction(instruction, accountKeys) {
+  if (!instruction || instruction.programIdIndex === undefined) return false
+
+  const programId = accountKeys[instruction.programIdIndex]
 
-  const ix = instructions[2]
-  if (!accountKeys[ix.programIdIndex].equals(SYSTEM_PROGRAM_ID)) return false
+  if (!programId.equals(SYSTEM_PROGRAM_ID)) return false
 
-  if (!Array.isArray(ix.accounts) || ix.accounts.length !== 2) return false
+  // Must have exactly 2 accounts (from, to)
+  if (!Array.isArray(instruction.accounts) || instruction.accounts.length !== 2) {
+    return false
+  }
 
+  // Check if the instruction data starts with 0x02 (System Transfer)
+  // Note: Must handle both formats because this is called from isSolanaTransfer()
+  // which uses non-normalized instructions
   try {
-    const data = bs58.decode(ix.data)
-    if (data[0] !== 0x02) return false
+    let data = instruction.data
+    if (typeof data === 'string') {
+      data = bs58.decode(data)
+    }
+
+    const buffer = Buffer.from(data)
+    if (buffer.readUInt32LE(0) !== SYSTEM_INSTRUCTION_LAYOUTS.Transfer.index) return false
   } catch {
     return false
   }
@@ -94,43 +123,165 @@ export function isSolanaTransfer(tx) {
   return true
 }
 
+export function isSolanaTransfer(tx) {
+  const { message } = tx
+  const { accountKeys, instructions } = message
+
+  if (!Array.isArray(accountKeys) || !Array.isArray(instructions)) return false
+
+  return instructions.some((instruction) => isSolTransferInstruction(instruction, accountKeys))
+}
+
+// Helper to normalize account keys for both versioned and legacy transactions
+function getAccountKeys(message) {
+  // Versioned transactions use staticAccountKeys
+  if (message.staticAccountKeys) {
+    return message.staticAccountKeys
+  }
+
+  // Legacy transactions use accountKeys
+  return message.accountKeys
+}
+
+// Helper to normalize a single instruction (handles both compiled and regular instructions)
+function normalizeInstruction(instruction) {
+  let normalizedData = instruction.data
+  if (typeof instruction.data === 'string') {
+    normalizedData = bs58.decode(instruction.data)
+  }
+
+  return {
+    programIdIndex: instruction.programIdIndex,
+    accounts: instruction.accountKeyIndexes || instruction.accounts,
+    data: normalizedData,
+  }
+}
+
+// Helper to normalize instructions for both versioned and legacy transactions
+function getInstructions(message) {
+  let instructions
+  // Versioned transactions use compiledInstructions
+  if (message.compiledInstructions) {
+    instructions = message.compiledInstructions
+  } else if (message.instructions) {
+    // Legacy transactions use instructions
+    instructions = message.instructions
+  } else {
+    return []
+  }
+
+  return instructions.map((inst) => normalizeInstruction(inst))
+}
+
 // TODO: Unify with parseTransaction in solana-api and use there as well?
-// TODO: support more tx types.
+// TODO: add support for swap and stake instructions
 export async function parseTxBuffer(buffer, api) {
   const transaction = deserializeTransaction(buffer)
+  const { message } = transaction
+
+  // Normalize account keys and instructions (versioned vs legacy)
+  const accountKeys = getAccountKeys(message)
+  const instructions = getInstructions(message)
+
+  if (!Array.isArray(accountKeys) || !Array.isArray(instructions)) {
+    throw new TypeError('Invalid transaction structure')
+  }
+
+  const parsedInstructions = []
 
   try {
-    if (isTokenTransfer(transaction)) {
-      const mainInstruction = transaction.message.instructions[2]
-      const { amount, method } = decodeSPLTransferData(mainInstruction.data)
-
-      const fromTokenAddress =
-        transaction.message.accountKeys[mainInstruction.accounts[0]].toBase58()
-      const toTokenAddress = transaction.message.accountKeys[mainInstruction.accounts[1]].toBase58()
-      const from = await api.getTokenAddressOwner(fromTokenAddress)
-      const to = await api.getTokenAddressOwner(toTokenAddress)
-      return {
-        method,
-        from,
-        to,
-        amount,
+    for (const [index, instruction] of instructions.entries()) {
+      if (isTokenTransferInstruction(instruction, accountKeys)) {
+        const decoded = decodeSPLTransferData(instruction.data)
+        const programId = accountKeys[instruction.programIdIndex]
+
+        // Transfer (3): [source, destination, authority]
+        // TransferChecked (12): [source, mint, destination, authority, ...]
+        let fromTokenAccount, toTokenAccount, mintAddress
+
+        if (decoded.method === 'transferChecked') {
+          // TransferChecked: mint is at index 1, destination at index 2
+          fromTokenAccount = accountKeys[instruction.accounts[0]].toBase58()
+          mintAddress = accountKeys[instruction.accounts[1]].toBase58() // Mint directly from accounts
+          toTokenAccount = accountKeys[instruction.accounts[2]].toBase58()
+        } else {
+          // Transfer: destination is at index 1
+          fromTokenAccount = accountKeys[instruction.accounts[0]].toBase58()
+          toTokenAccount = accountKeys[instruction.accounts[1]].toBase58()
+          mintAddress = null
+        }
+
+        // Get token account owners in parallel (requires API calls)
+        let fromOwner, toOwner
+        if (api) {
+          ;[fromOwner, toOwner, mintAddress] = await Promise.all([
+            api.getTokenAddressOwner(fromTokenAccount),
+            api.getTokenAddressOwner(toTokenAccount),
+            mintAddress
+              ? Promise.resolve(mintAddress)
+              : getMintAddressFromTokenAccount(fromTokenAccount, api),
+          ])
+          // Fallback to token account address if owner lookup fails
+          fromOwner = fromOwner || fromTokenAccount
+          toOwner = toOwner || toTokenAccount
+        } else {
+          fromOwner = fromTokenAccount
+          toOwner = toTokenAccount
+        }
+
+        const parsedInstruction = {
+          method: decoded.method,
+          from: fromOwner,
+          to: toOwner,
+          amount: decoded.amount,
+          programId: programId.toBase58(),
+          instructionIndex: index,
+          fromTokenAccount,
+          toTokenAccount,
+          mintAddress,
+        }
+
+        // Include decimals if it's a transferChecked instruction
+        if (decoded.decimals !== undefined) {
+          parsedInstruction.decimals = decoded.decimals
+        }
+
+        parsedInstructions.push(parsedInstruction)
+      } else if (isSolTransferInstruction(instruction, accountKeys)) {
+        const { amount, method } = decodeSystemTransferData(instruction.data)
+        const programId = accountKeys[instruction.programIdIndex]
+
+        parsedInstructions.push({
+          method,
+          from: accountKeys[instruction.accounts[0]].toBase58(),
+          to: accountKeys[instruction.accounts[1]].toBase58(),
+          amount,
+          programId: programId.toBase58(),
+          instructionIndex: index,
+        })
       }
     }
+  } catch (error) {
+    console.log('instruction parsing error', error)
+    throw error
+  }
 
-    if (isSolanaTransfer(transaction)) {
-      const mainInstruction = transaction.message.instructions[2]
-      const { amount, method } = decodeSystemTransferData(mainInstruction.data)
+  if (parsedInstructions.length === 0) {
+    throw new Error('No supported instructions found in transaction')
+  }
 
-      return {
-        method,
-        from: transaction.message.accountKeys[mainInstruction.accounts[0]],
-        to: transaction.message.accountKeys[mainInstruction.accounts[1]],
-        amount,
-      }
+  return parsedInstructions
+}
+
+async function getMintAddressFromTokenAccount(tokenAccountAddress, api) {
+  try {
+    const accountInfo = await api.getAccountInfo(tokenAccountAddress)
+    if (accountInfo?.data?.parsed?.info?.mint) {
+      return accountInfo.data.parsed.info.mint
     }
   } catch (error) {
-    console.log('transaction check error', error)
+    console.log('Error getting mint address:', error)
   }
 
-  throw new Error('Transaction not supported for buffer parsing')
+  return null
 }

package/src/tx/verify-only-fee-payer-changed.js

@@ -1,7 +1,12 @@
 import lodash from 'lodash'
 import assert from 'minimalistic-assert'
 
-import { TOKEN_2022_PROGRAM_ID, TOKEN_PROGRAM_ID } from '../constants.js'
+import {
+  SPL_TOKEN_AUTHORITY_TYPE,
+  SPL_TOKEN_INSTRUCTION_TYPE,
+  TOKEN_2022_PROGRAM_ID,
+  TOKEN_PROGRAM_ID,
+} from '../constants.js'
 import { ASSOCIATED_TOKEN_PROGRAM_ID } from '../helpers/spl-token.js'
 import { SYSVAR_RENT_PUBKEY } from '../vendor/index.js'
 
@@ -19,16 +24,16 @@ export function verifyOnlyFeePayerChanged(beforeTx, afterTx) {
     )
   })
   assert(
-    beforeTx.message.accountKeys.length + 1 === afterTx.message.accountKeys.length,
-    'Fee payer account key was not added'
+    beforeTx.message.accountKeys.length <= afterTx.message.accountKeys.length,
+    'Account keys were removed'
   )
   assert(
     beforeTx.message.accountKeys.every(
       (beforeAccountKey) => !lodash.isEqual(beforeAccountKey, afterTx.message.accountKeys[0])
     ),
-    'Fee payer account key was not added'
+    'Fee payer account key was not added as first account'
   )
-  beforeTx.message.accountKeys.forEach((accountKey, index) => {
+  beforeTx.message.accountKeys.forEach((accountKey) => {
     assert(
       afterTx.message.accountKeys.some((afterAccountKey) =>
         lodash.isEqual(accountKey, afterAccountKey)
@@ -37,69 +42,152 @@ export function verifyOnlyFeePayerChanged(beforeTx, afterTx) {
     )
   })
 
-  assert(
-    beforeTx.message.instructions.length === afterTx.message.instructions.length,
-    'No new instructions are allowed'
-  )
+  const originalInstructionCount = beforeTx.message.instructions.length
+  const sponsoredInstructionCount = afterTx.message.instructions.length
+  assert(originalInstructionCount <= sponsoredInstructionCount, 'Instructions were removed')
+
+  beforeTx.message.instructions.forEach((instruction, index) => {
+    const afterInstruction = afterTx.message.instructions[index]
 
-  beforeTx.message.instructions.forEach(({ programIdIndex }, index) => {
     assert(
       lodash.isEqual(
-        beforeTx.message.accountKeys[beforeTx.message.instructions[index].programIdIndex],
-        afterTx.message.accountKeys[afterTx.message.instructions[index]?.programIdIndex]
+        beforeTx.message.accountKeys[instruction.programIdIndex],
+        afterTx.message.accountKeys[afterInstruction.programIdIndex]
       ),
-      'Instructions program ids were not updated'
+      'Instructions program ids were not updated correctly'
     )
-  })
 
-  beforeTx.message.instructions.forEach(({ accounts }, index) => {
-    const programId =
-      beforeTx.message.accountKeys[beforeTx.message.instructions[index].programIdIndex].toString()
-    const isATAProgram =
-      programId === TOKEN_PROGRAM_ID.toString() ||
-      programId === TOKEN_2022_PROGRAM_ID.toString() ||
-      programId === ASSOCIATED_TOKEN_PROGRAM_ID.toString()
-    const accountsPublicKeys = accounts.map((id) => beforeTx.message.accountKeys[id])
-    const containsRentSysvar = accountsPublicKeys.some(
-      (publicKey) => publicKey.toString() === SYSVAR_RENT_PUBKEY.toString()
+    assert(
+      lodash.isEqual(instruction.data, afterInstruction.data),
+      'Fee payer service modified instruction data unexpectedly'
     )
 
-    const afterAccountsPublicKeys = afterTx.message.instructions[index].accounts.map(
-      (id) => afterTx.message.accountKeys[id]
-    )
+    const beforeAccounts = instruction.accounts.map((id) => beforeTx.message.accountKeys[id])
+    const afterAccounts = afterInstruction.accounts.map((id) => afterTx.message.accountKeys[id])
+
+    const programId = beforeTx.message.accountKeys[instruction.programIdIndex].toString()
+
+    const containsRentSysvar = beforeAccounts.some((publicKey) => {
+      const keyStr = publicKey?.toString ? publicKey.toString() : String(publicKey)
+      return keyStr === SYSVAR_RENT_PUBKEY.toString()
+    })
 
-    if (containsRentSysvar && isATAProgram) {
-      const adjustedAccountsPublicKeys = [...accountsPublicKeys]
-      adjustedAccountsPublicKeys[0] = afterTx.message.accountKeys[0] // replace with the new fee payer
+    if (containsRentSysvar && isATAProgram(programId)) {
+      const adjustedBeforeAccounts = [...beforeAccounts]
+      adjustedBeforeAccounts[0] = afterTx.message.accountKeys[0]
       assert(
-        lodash.isEqual(adjustedAccountsPublicKeys, afterAccountsPublicKeys),
-        'Instructions account key indexes were not updated'
+        lodash.isEqual(adjustedBeforeAccounts, afterAccounts),
+        'Instruction account keys were not updated correctly'
       )
     } else {
       assert(
-        lodash.isEqual(accountsPublicKeys, afterAccountsPublicKeys),
-        'Instructions account key indexes were not updated'
+        lodash.isEqual(beforeAccounts, afterAccounts),
+        'Instruction account keys were not updated correctly'
       )
     }
   })
 
-  beforeTx.message.instructions.forEach((instruction, index) => {
-    assert(
-      lodash.isEqual(
-        { ...instruction, accounts: null, programIdIndex: null },
-        {
-          ...afterTx.message.instructions[index],
-          accounts: null,
-          programIdIndex: null,
-        }
-      ),
-      'Instructions do not match in some attributes'
-    )
-  })
+  // If there are appended instructions, validate they are SetAuthority(CloseAccount)
+  if (sponsoredInstructionCount > originalInstructionCount) {
+    const expectedProtectedAccounts = getTokenAccountCreations(beforeTx)
+    const appendedCount = sponsoredInstructionCount - originalInstructionCount
 
-  afterTx.message.indexToProgramIds.forEach((value, key) => {
-    assert(afterTx.message.accountKeys[key] === value, 'IndexToProgramIds do not match accountKeys')
-  })
+    // If token accounts are being created, verify exact count match
+    if (expectedProtectedAccounts.length > 0) {
+      // Zero-trust mode: Server should add exactly one SetAuthority per sponsored token account
+      assert(
+        appendedCount === expectedProtectedAccounts.length,
+        `Expected ${expectedProtectedAccounts.length} SetAuthority instructions for created token accounts, but got ${appendedCount}`
+      )
+    }
+
+    const protectedAccountsMap = new Map()
+
+    for (let i = originalInstructionCount; i < sponsoredInstructionCount; i++) {
+      const instruction = afterTx.message.instructions[i]
+      const programId = afterTx.message.accountKeys[instruction.programIdIndex]
+
+      assert(
+        isTokenProgram(programId),
+        `Appended instruction ${i - originalInstructionCount + 1} is not from a token program`
+      )
+
+      const data = instruction.data
+      assert(
+        data && data.length > 0,
+        `Appended instruction ${i - originalInstructionCount + 1} has no data`
+      )
+
+      const instructionType = data[0]
+      assert(
+        instructionType === SPL_TOKEN_INSTRUCTION_TYPE.SET_AUTHORITY,
+        `Appended instruction ${i - originalInstructionCount + 1} is not SetAuthority`
+      )
+
+      assert(
+        data.length >= 35,
+        `Appended instruction ${i - originalInstructionCount + 1} has invalid SetAuthority data length`
+      )
+
+      const authorityType = data[1]
+      const hasNewAuthority = data[2]
+
+      assert(
+        authorityType === SPL_TOKEN_AUTHORITY_TYPE.CLOSE_ACCOUNT,
+        `Appended instruction ${i - originalInstructionCount + 1} is not for CloseAccount authority`
+      )
+
+      assert(
+        hasNewAuthority === 1,
+        `Appended instruction ${i - originalInstructionCount + 1} does not set a new authority`
+      )
+
+      assert(
+        instruction.accounts && instruction.accounts.length > 0,
+        `Appended instruction ${i - originalInstructionCount + 1} has no target account`
+      )
+
+      const targetAccountIndex = instruction.accounts[0]
+      const targetAccount = afterTx.message.accountKeys[targetAccountIndex].toString()
+
+      if (expectedProtectedAccounts.length > 0) {
+        // Find matching created account
+        const expectedAccount = expectedProtectedAccounts.find((exp) => {
+          return exp.account.toString() === targetAccount
+        })
+
+        assert(expectedAccount, `SetAuthority targets unexpected account: ${targetAccount}`)
+
+        // Verify using correct token program for this account
+        const expectedTokenProgram = expectedAccount.tokenProgram
+        assert(
+          programId.toString() === expectedTokenProgram.toString(),
+          `SetAuthority uses wrong token program for account ${targetAccount}`
+        )
+
+        assert(
+          !protectedAccountsMap.has(targetAccount),
+          `Duplicate SetAuthority for account ${targetAccount}`
+        )
+        protectedAccountsMap.set(targetAccount, true)
+      }
+    }
+
+    if (expectedProtectedAccounts.length > 0) {
+      assert(
+        protectedAccountsMap.size === expectedProtectedAccounts.length,
+        'Not all created token accounts received SetAuthority protection'
+      )
+    }
+  }
+
+  if (afterTx.message.indexToProgramIds) {
+    afterTx.message.indexToProgramIds.forEach((value, key) => {
+      const accountKey = afterTx.message.accountKeys[key]
+      const matches = accountKey?.equals ? accountKey.equals(value) : accountKey === value
+      assert(matches, 'IndexToProgramIds do not match accountKeys')
+    })
+  }
 
   assert(
     lodash.isEqual(
@@ -148,3 +236,61 @@ export function verifyOnlyFeePayerChanged(beforeTx, afterTx) {
     'Transactions do not match in some attributes'
   )
 }
+
+function isTokenProgram(programId) {
+  const programIdStr = programId.toString()
+  return (
+    programIdStr === TOKEN_PROGRAM_ID.toString() ||
+    programIdStr === TOKEN_2022_PROGRAM_ID.toString()
+  )
+}
+
+function isATAProgram(programId) {
+  const programIdStr = programId.toString()
+  return isTokenProgram(programId) || programIdStr === ASSOCIATED_TOKEN_PROGRAM_ID.toString()
+}
+
+function getTokenAccountCreations(transaction) {
+  const createdAccounts = []
+
+  transaction.message.instructions.forEach((instruction, index) => {
+    const programId = transaction.message.accountKeys[instruction.programIdIndex].toString()
+
+    // Check for ATA creation (Associated Token Account Program)
+    if (
+      programId === ASSOCIATED_TOKEN_PROGRAM_ID.toString() && // For ATA creation, the new account is typically at index 1
+      // Index 0 is payer, Index 1 is the ATA being created, Index 5 is the token program
+      instruction.accounts?.length >= 2
+    ) {
+      const ataIndex = instruction.accounts[1]
+      const tokenProgramIndex = instruction.accounts.length > 5 ? instruction.accounts[5] : null
+
+      createdAccounts.push({
+        accountIndex: ataIndex,
+        account: transaction.message.accountKeys[ataIndex],
+        tokenProgram: tokenProgramIndex
+          ? transaction.message.accountKeys[tokenProgramIndex]
+          : TOKEN_PROGRAM_ID,
+      })
+    }
+
+    // Check for InitializeAccount instruction (classic token account creation)
+    if (isTokenProgram(programId)) {
+      const data = instruction.data
+
+      if (
+        data?.length > 0 &&
+        data[0] === SPL_TOKEN_INSTRUCTION_TYPE.INITIALIZE_ACCOUNT &&
+        instruction.accounts?.length > 0
+      ) {
+        createdAccounts.push({
+          accountIndex: instruction.accounts[0],
+          account: transaction.message.accountKeys[instruction.accounts[0]],
+          tokenProgram: programId,
+        })
+      }
+    }
+  })
+
+  return createdAccounts
+}

package/src/vendor/index.js

@@ -9,3 +9,4 @@ export * from './stake-program.js'
 export * from './sysvar.js'
 export * from './transaction.js'
 export * from './constants.js'
+export { TOKEN_INSTRUCTION_LAYOUTS } from './token-program.js'

package/src/vendor/token-program.js

@@ -0,0 +1,98 @@
+/**
+ * Token Program instruction layouts
+ * Token-2022 (Token Extensions) is backward compatible with these instruction types
+ *
+ * Reference: https://github.com/solana-program/token/blob/81ba155af8684c224c943af16ac3d70f5cad5e93/pinocchio/interface/src/instruction.rs
+ */
+
+/**
+ * An enumeration of valid SPL Token InstructionType's
+ */
+export const TOKEN_INSTRUCTION_LAYOUTS = Object.freeze({
+  InitializeMint: {
+    index: 0,
+  },
+  InitializeAccount: {
+    index: 1,
+  },
+  InitializeMultisig: {
+    index: 2,
+  },
+  Transfer: {
+    index: 3,
+    // Accounts: [source, destination, authority]
+  },
+  Approve: {
+    index: 4,
+  },
+  Revoke: {
+    index: 5,
+  },
+  SetAuthority: {
+    index: 6,
+  },
+  MintTo: {
+    index: 7,
+  },
+  Burn: {
+    index: 8,
+  },
+  CloseAccount: {
+    index: 9,
+  },
+  FreezeAccount: {
+    index: 10,
+  },
+  ThawAccount: {
+    index: 11,
+  },
+  TransferChecked: {
+    index: 12,
+    // Accounts: [source, mint, destination, authority]
+  },
+  ApproveChecked: {
+    index: 13,
+  },
+  MintToChecked: {
+    index: 14,
+  },
+  BurnChecked: {
+    index: 15,
+  },
+  InitializeAccount2: {
+    index: 16,
+  },
+  SyncNative: {
+    index: 17,
+  },
+  InitializeAccount3: {
+    index: 18,
+  },
+  InitializeMultisig2: {
+    index: 19,
+  },
+  InitializeMint2: {
+    index: 20,
+  },
+  GetAccountDataSize: {
+    index: 21,
+  },
+  InitializeImmutableOwner: {
+    index: 22,
+  },
+  AmountToUiAmount: {
+    index: 23,
+  },
+  UiAmountToAmount: {
+    index: 24,
+  },
+  WithdrawExcessLamports: {
+    index: 38,
+  },
+  UnwrapLamports: {
+    index: 45,
+  },
+  Batch: {
+    index: 255,
+  },
+})