@exodus/solana-lib 3.19.0 → 3.19.1

package/CHANGELOG.md

@@ -3,6 +3,14 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [3.19.1](https://github.com/ExodusMovement/assets/compare/@exodus/solana-lib@3.19.0...@exodus/solana-lib@3.19.1) (2026-01-08)
+
+**Note:** Version bump only for package @exodus/solana-lib
+
+
+
+
+
 ## [3.19.0](https://github.com/ExodusMovement/assets/compare/@exodus/solana-lib@3.18.4...@exodus/solana-lib@3.19.0) (2026-01-08)
 
 
@@ -11,6 +19,8 @@ See [Conventional Commits](https://conventionalcommits.org) for commit guideline
 
 * feat: filter SOL poisoning txs (#7212)
 
+* feat: use checked token transfer instruction (#7219)
+
 
 
 ## [3.18.4](https://github.com/ExodusMovement/assets/compare/@exodus/solana-lib@3.18.3...@exodus/solana-lib@3.18.4) (2026-01-06)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@exodus/solana-lib",
-  "version": "3.19.0",
+  "version": "3.19.1",
   "description": "Solana utils, such as for cryptography, address encoding/decoding, transaction building, etc.",
   "type": "module",
   "main": "src/index.js",
@@ -47,5 +47,5 @@
     "type": "git",
     "url": "git+https://github.com/ExodusMovement/assets.git"
   },
-  "gitHead": "273cd4583facb72bc145c5cdfe29063f78b13491"
+  "gitHead": "99b6365c54f3b11fda999c2f89c82bdc354fc073"
 }

package/src/helpers/spl-token.js

@@ -470,6 +470,10 @@ export const Token = {
   /**
    * Construct a Transfer instruction
    *
+   * @deprecated Use createTransferCheckedInstruction instead. The Transfer instruction
+   * does not include mint and decimals, causing hardware wallets (like Trezor) to show
+   * warnings about unknown token decimals.
+   *
    * @param programId SPL Token program account
    * @param source Source account
    * @param destination Destination account
@@ -520,6 +524,77 @@ export const Token = {
     })
   },
 
+  /**
+   * Construct a TransferChecked instruction
+   *
+   * This is the recommended instruction for token transfers as it includes the mint
+   * address and decimals, which allows hardware wallets to properly verify and display
+   * token information.
+   *
+   * @param programId SPL Token program account
+   * @param source Source token account
+   * @param mint Token mint account
+   * @param destination Destination token account
+   * @param owner Owner of the source account
+   * @param multiSigners Signing accounts if `authority` is a multiSig
+   * @param amount Number of tokens to transfer
+   * @param decimals Number of decimals for the token
+   */
+  createTransferCheckedInstruction(
+    programId,
+    source,
+    mint,
+    destination,
+    owner,
+    multiSigners,
+    amount,
+    decimals
+  ) {
+    const dataLayout = BufferLayout.struct([
+      BufferLayout.u8('instruction'),
+      Layout.uint64('amount'),
+      BufferLayout.u8('decimals'),
+    ])
+
+    const data = Buffer.alloc(dataLayout.span)
+    dataLayout.encode(
+      {
+        instruction: 12, // TransferChecked instruction
+        amount: new U64(amount).toBuffer(),
+        decimals,
+      },
+      data
+    )
+
+    const keys = [
+      { pubkey: source, isSigner: false, isWritable: true },
+      { pubkey: mint, isSigner: false, isWritable: false },
+      { pubkey: destination, isSigner: false, isWritable: true },
+    ]
+    if (multiSigners.length === 0) {
+      keys.push({
+        pubkey: owner,
+        isSigner: true,
+        isWritable: false,
+      })
+    } else {
+      keys.push({ pubkey: owner, isSigner: false, isWritable: false })
+      multiSigners.forEach((signer) =>
+        keys.push({
+          pubkey: signer.publicKey,
+          isSigner: true,
+          isWritable: false,
+        })
+      )
+    }
+
+    return new TransactionInstruction({
+      keys,
+      programId,
+      data,
+    })
+  },
+
   decode(data) {
     return BufferLayout.struct([
       publicKey('mint'),

package/src/helpers/tokenTransfer.js

@@ -59,7 +59,11 @@ function createIx(
   })
 }
 
-// https://github.com/paul-schaaf/spl-token-ui/blob/main/src/solana/token/editing.ts#L211
+/**
+ * @deprecated Use createTokenTransferCheckedInstruction instead. The Transfer instruction
+ * does not include mint and decimals, causing hardware wallets (like Trezor) to show
+ * warnings about unknown token decimals.
+ */
 export const createTokenTransferInstruction = (owner, fromTokenAddress, to, amount) => {
   const sourcePubkey = new PublicKey(fromTokenAddress) // the token ADDRESS needed!
   const destinationPubkey = new PublicKey(to)
@@ -75,6 +79,47 @@ export const createTokenTransferInstruction = (owner, fromTokenAddress, to, amou
   )
 }
 
+/**
+ * Create a token transfer instruction using TransferChecked.
+ * This is the recommended method as it includes mint and decimals, which allows
+ * hardware wallets to properly verify and display token information.
+ *
+ * @param {string} owner - The owner of the source token account (native SOL address)
+ * @param {string} fromTokenAddress - The source token account address
+ * @param {string} mintAddress - The token mint address
+ * @param {string} to - The destination token account address
+ * @param {BN|string} amount - The amount to transfer (in base units)
+ * @param {number} decimals - The token decimals
+ * @param {string} [tokenProgram] - The token program ID (defaults to TOKEN_PROGRAM_ID)
+ * @returns {TransactionInstruction}
+ */
+export const createTokenTransferCheckedInstruction = (
+  owner,
+  fromTokenAddress,
+  mintAddress,
+  to,
+  amount,
+  decimals,
+  tokenProgram = TOKEN_PROGRAM_ID.toBase58()
+) => {
+  const sourcePubkey = new PublicKey(fromTokenAddress)
+  const mintPubkey = new PublicKey(mintAddress)
+  const destinationPubkey = new PublicKey(to)
+  const ownerPubkey = new PublicKey(owner)
+  const tokenProgramId = new PublicKey(tokenProgram)
+
+  return Token.createTransferCheckedInstruction(
+    tokenProgramId,
+    sourcePubkey,
+    mintPubkey,
+    destinationPubkey,
+    ownerPubkey,
+    [],
+    amount.toString(),
+    decimals
+  )
+}
+
 export const createCloseAccountInstruction = ({
   programId = TOKEN_PROGRAM_ID,
   tokenPublicKey,

package/src/transaction.js

@@ -8,7 +8,7 @@ import { createTransferCheckedWithFeeInstruction } from './helpers/spl-token-202
 import {
   createAssociatedTokenAccount,
   createCloseAccountInstruction,
-  createTokenTransferInstruction,
+  createTokenTransferCheckedInstruction,
 } from './helpers/tokenTransfer.js'
 import { MagicEdenEscrowProgram } from './magiceden/escrow-program.js'
 import {
@@ -208,11 +208,14 @@ class Tx {
           decimals // token decimals
         )
       } else {
-        tokenTransferInstruction = createTokenTransferInstruction(
+        tokenTransferInstruction = createTokenTransferCheckedInstruction(
           from,
           tokenAccountAddress,
+          tokenMintAddress,
           dest,
-          amountToSend
+          amountToSend,
+          decimals,
+          tokenProgram
         )
       }
 

package/src/tx/sign-hardware.js

@@ -1,11 +1,84 @@
 import assert from 'minimalistic-assert'
 
+import { TOKEN_PROGRAM_ID } from '../constants.js'
 import { PublicKey } from '../vendor/index.js'
 import { extractTransaction } from './common.js'
 import { prepareForSigning } from './prepare-for-signing.js'
 
+// Instruction types
+const TOKEN_INSTRUCTION_TRANSFER_CHECKED = 12
+
+/**
+ * Extract token transfer info from a VersionedTransaction.
+ */
+const extractTransferInfo = (tx) => {
+  const message = tx.message
+  const accountKeys = message.staticAccountKeys.map((k) => k.toBase58())
+
+  for (const instruction of message.compiledInstructions) {
+    const programId = accountKeys[instruction.programIdIndex]
+    const accounts = instruction.accountKeyIndexes
+    const data = instruction.data
+
+    // TransferChecked: [source, mint, destination, owner]
+    if (
+      programId === TOKEN_PROGRAM_ID.toBase58() &&
+      data?.[0] === TOKEN_INSTRUCTION_TRANSFER_CHECKED &&
+      accounts.length >= 4
+    ) {
+      return {
+        sourceTokenAccount: accountKeys[accounts[0]],
+        tokenMint: accountKeys[accounts[1]],
+        destTokenAccount: accountKeys[accounts[2]],
+        sourceOwner: accountKeys[accounts[3]],
+        tokenProgram: programId,
+      }
+    }
+  }
+
+  return null
+}
+
+/**
+ * Build tokenAccountsInfos by looking up token account owners via RPC.
+ */
+const buildTokenAccountsInfos = async (tx, api) => {
+  const transferInfo = extractTransferInfo(tx)
+
+  if (!transferInfo) {
+    return
+  }
+
+  // Look up destination token account owner via RPC
+  try {
+    const accountInfo = await api.getAccountInfo(transferInfo.destTokenAccount)
+    const destOwner = accountInfo?.data?.parsed?.info?.owner
+
+    if (!destOwner) {
+      return
+    }
+
+    return [
+      {
+        baseAddress: transferInfo.sourceOwner,
+        tokenProgram: transferInfo.tokenProgram,
+        tokenMint: transferInfo.tokenMint,
+        tokenAccount: transferInfo.sourceTokenAccount,
+      },
+      {
+        baseAddress: destOwner,
+        tokenProgram: transferInfo.tokenProgram,
+        tokenMint: transferInfo.tokenMint,
+        tokenAccount: transferInfo.destTokenAccount,
+      },
+    ]
+  } catch {
+    // RPC lookup failed, continue without token account info
+  }
+}
+
 export const createSignHardwareFactory =
-  ({ getKeyIdentifier }) =>
+  ({ getKeyIdentifier, api }) =>
   async ({ unsignedTx, hardwareDevice, accountIndex }) => {
     assert(hardwareDevice, 'expected hardwareDevice to be defined')
     assert(
@@ -21,10 +94,14 @@ export const createSignHardwareFactory =
       accountIndex,
     })
 
+    // Build token account infos with RPC lookup for token transfers
+    const tokenAccountsInfos = api ? await buildTokenAccountsInfos(tx, api) : undefined
+
     const signatures = await hardwareDevice.signTransaction({
       assetName: 'solana',
       signableTransaction: Buffer.from(tx.message.serialize()),
       derivationPaths: [derivationPath],
+      tokenAccountsInfos,
     })
 
     signatures.forEach(({ publicKey, signature }) => {