@exodus/solana-lib 3.21.1 → 3.22.1

package/CHANGELOG.md

@@ -3,6 +3,24 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [3.22.1](https://github.com/ExodusMovement/assets/compare/@exodus/solana-lib@3.22.0...@exodus/solana-lib@3.22.1) (2026-03-18)
+
+**Note:** Version bump only for package @exodus/solana-lib
+
+
+
+
+
+## [3.22.0](https://github.com/ExodusMovement/assets/compare/@exodus/solana-lib@3.21.1...@exodus/solana-lib@3.22.0) (2026-03-13)
+
+
+### Features
+
+
+* feat: solana add instruction shape validation (#7575)
+
+
+
 ## [3.21.1](https://github.com/ExodusMovement/assets/compare/@exodus/solana-lib@3.21.0...@exodus/solana-lib@3.21.1) (2026-03-12)
 
 **Note:** Version bump only for package @exodus/solana-lib

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@exodus/solana-lib",
-  "version": "3.21.1",
+  "version": "3.22.1",
   "description": "Solana utils, such as for cryptography, address encoding/decoding, transaction building, etc.",
   "type": "module",
   "main": "src/index.js",
@@ -48,5 +48,5 @@
     "type": "git",
     "url": "git+https://github.com/ExodusMovement/assets.git"
   },
-  "gitHead": "1c57290eed9f84bfd28f25948796f52f94e8a52f"
+  "gitHead": "e746a88ef78a0e7167587bfa14068ceb494d6fd7"
 }

package/src/keypair.js

@@ -1,8 +1,12 @@
 import {
+  // eslint-disable-next-line @exodus/import/no-deprecated
   edwardsToPublicSync,
+  // eslint-disable-next-line @exodus/import/no-deprecated
   signDetachedSync,
+  // eslint-disable-next-line @exodus/import/no-deprecated
   verifyDetachedSync,
 } from '@exodus/crypto/curve25519'
+// eslint-disable-next-line @exodus/import/no-deprecated
 import { randomBytes } from '@exodus/crypto/randomBytes'
 
 import { PublicKey } from './vendor/publickey.js'
@@ -10,6 +14,7 @@ import { PublicKey } from './vendor/publickey.js'
 export function getKeyPairFromPrivateKey(seed) {
   const pair = Buffer.from(seed, 'hex')
   const privateKey = pair.subarray(0, 32)
+  // eslint-disable-next-line @exodus/import/no-deprecated
   const publicKey = edwardsToPublicSync({ privateKey, format: 'buffer' })
 
   // Recheck just in case
@@ -23,6 +28,7 @@ export function getKeyPairFromPrivateKey(seed) {
 }
 
 export function generateKeyPair() {
+  // eslint-disable-next-line @exodus/import/no-deprecated
   const { publicKey, privateKey } = getKeyPairFromPrivateKey(randomBytes(32))
 
   return {
@@ -36,6 +42,7 @@ export function getPublicKey(privateKey) {
 }
 
 export function sign(data, privateKey) {
+  // eslint-disable-next-line @exodus/import/no-deprecated
   return signDetachedSync({
     message: data,
     privateKey: Buffer.from(privateKey, 'hex'),
@@ -44,5 +51,6 @@ export function sign(data, privateKey) {
 }
 
 export function verifySignature(data, signature, publicKey) {
+  // eslint-disable-next-line @exodus/import/no-deprecated
   return verifyDetachedSync({ message: data, signature, publicKey: Buffer.from(publicKey, 'hex') })
 }

package/src/magiceden/coders.js

@@ -1,4 +1,5 @@
 import * as BufferLayout from '@exodus/buffer-layout'
+// eslint-disable-next-line @exodus/import/no-deprecated
 import { hashSync } from '@exodus/crypto/hash'
 
 import { bnAmountU64, publicKey } from '../vendor/utils/layout.js'
@@ -21,6 +22,7 @@ const idl = {
 export function sighash(nameSpace, ixName) {
   const preimage = `${nameSpace}:${ixName}`
 
+  // eslint-disable-next-line @exodus/import/no-deprecated
   return hashSync('sha256', preimage).slice(0, 8)
 }
 

package/src/msg/sign-message-deprecated.js

@@ -1,3 +1,4 @@
+// eslint-disable-next-line @exodus/import/no-deprecated
 import { signDetachedSync } from '@exodus/crypto/curve25519'
 import bs58 from 'bs58'
 import assert from 'minimalistic-assert'
@@ -13,6 +14,7 @@ export function signMessage({ message, privateKey }) {
     !isTransactionMessage(messageBuffer),
     'attempted to sign transaction using message signing'
   )
+  // eslint-disable-next-line @exodus/import/no-deprecated
   const signature = signDetachedSync({
     message: messageBuffer,
     privateKey: Buffer.from(privateKey, 'hex').subarray(0, 32),

package/src/tx/instruction-utils.js

@@ -4,9 +4,64 @@ import {
   TOKEN_2022_PROGRAM_ID,
   TOKEN_PROGRAM_ID,
 } from '../constants.js'
-import { TOKEN_INSTRUCTION_LAYOUTS, TRANSFER_FEE_SUB_INSTRUCTIONS } from '../vendor/index.js'
+import {
+  SYSTEM_INSTRUCTION_LAYOUTS,
+  TOKEN_INSTRUCTION_LAYOUTS,
+  TRANSFER_FEE_SUB_INSTRUCTIONS,
+} from '../vendor/index.js'
 import { toBuffer } from '../vendor/utils/to-buffer.js'
 
+/** Token instruction type index → { minBytes, minAccounts } for hasValidShape. Uses TOKEN_INSTRUCTION_LAYOUTS indices. */
+export const TOKEN_INSTRUCTION_REQUIREMENTS = Object.freeze({
+  [TOKEN_INSTRUCTION_LAYOUTS.InitializeAccount.index]: { minBytes: 1, minAccounts: 4 },
+  [TOKEN_INSTRUCTION_LAYOUTS.InitializeAccount2.index]: { minBytes: 33, minAccounts: 3 },
+  [TOKEN_INSTRUCTION_LAYOUTS.InitializeAccount3.index]: { minBytes: 33, minAccounts: 2 },
+  [TOKEN_INSTRUCTION_LAYOUTS.Transfer.index]: { minBytes: 9, minAccounts: 3 },
+  [TOKEN_INSTRUCTION_LAYOUTS.TransferChecked.index]: { minBytes: 10, minAccounts: 4 },
+  [TOKEN_INSTRUCTION_LAYOUTS.TransferFeeExtension.index]: { minBytes: 19, minAccounts: 4 },
+  [TOKEN_INSTRUCTION_LAYOUTS.CloseAccount.index]: { minBytes: 1, minAccounts: 3 },
+  [TOKEN_INSTRUCTION_LAYOUTS.Approve.index]: { minBytes: 9, minAccounts: 3 },
+  [TOKEN_INSTRUCTION_LAYOUTS.ApproveChecked.index]: { minBytes: 10, minAccounts: 4 },
+  [TOKEN_INSTRUCTION_LAYOUTS.Revoke.index]: { minBytes: 1, minAccounts: 2 },
+  [TOKEN_INSTRUCTION_LAYOUTS.SyncNative.index]: { minBytes: 1, minAccounts: 1 },
+  [TOKEN_INSTRUCTION_LAYOUTS.SetAuthority.index]: { minBytes: 35, minAccounts: 2 },
+})
+
+/** System program instruction type index → { minBytes, minAccounts } for hasValidShape. */
+export const SYSTEM_INSTRUCTION_REQUIREMENTS = Object.freeze({
+  [SYSTEM_INSTRUCTION_LAYOUTS.Transfer.index]: { minBytes: 12, minAccounts: 2 },
+})
+
+/**
+ * Checks that an instruction has the required shape (data length and account count).
+ * Works with both legacy shape (keys/data) and normalized shape (accounts/data).
+ *
+ * @param {Object} instruction - Instruction object with `data` and either `keys` or `accounts`
+ * @param {Object} reqs - Requirements: `{ minBytes?: number, minAccounts?: number }`
+ * @returns {boolean}
+ */
+export function hasValidShape(instruction, reqs) {
+  if (!reqs) return false
+  let data = null
+  if (instruction?.data != null) {
+    try {
+      data = toBuffer(instruction.data)
+    } catch {
+      return false
+    }
+  }
+
+  const minBytes = reqs.minBytes ?? 0
+  const minAccounts = reqs.minAccounts ?? 0
+  const accounts = instruction?.keys ?? instruction?.accounts
+  return (
+    data != null &&
+    data.length >= minBytes &&
+    Array.isArray(accounts) &&
+    accounts.length >= minAccounts
+  )
+}
+
 export function isTokenProgramInstruction(instruction) {
   const programId = instruction?.programId
   if (!programId) return false
@@ -16,12 +71,11 @@ export function isTokenProgramInstruction(instruction) {
 export function isSystemTransferInstruction(instruction) {
   const programId = instruction?.programId
   if (!programId || !programId.equals(SYSTEM_PROGRAM_ID)) return false
-  if (!Array.isArray(instruction.keys) || instruction.keys.length !== 2) return false
-  if (!instruction.data) return false
+  const reqs = SYSTEM_INSTRUCTION_REQUIREMENTS[SYSTEM_INSTRUCTION_LAYOUTS.Transfer.index]
+  if (!hasValidShape(instruction, reqs)) return false
   try {
     const buffer = toBuffer(instruction.data)
-    if (buffer.length < 12) return false
-    return buffer.readUInt32LE(0) === 2
+    return buffer.readUInt32LE(0) === SYSTEM_INSTRUCTION_LAYOUTS.Transfer.index
   } catch {
     return false
   }
@@ -35,31 +89,34 @@ export function isComputeBudgetInstruction(instruction) {
 
 export function isSetAuthorityInstruction(instruction) {
   if (!isTokenProgramInstruction(instruction)) return false
-  if (!instruction.data) return false
+  const reqs = TOKEN_INSTRUCTION_REQUIREMENTS[TOKEN_INSTRUCTION_LAYOUTS.SetAuthority.index]
+  if (!hasValidShape(instruction, reqs)) return false
   const buffer = toBuffer(instruction.data)
-  return buffer.length > 0 && buffer[0] === TOKEN_INSTRUCTION_LAYOUTS.SetAuthority.index
+  return buffer[0] === TOKEN_INSTRUCTION_LAYOUTS.SetAuthority.index
 }
 
 export function isTransferInstruction(instruction) {
   if (!isTokenProgramInstruction(instruction)) return false
-  if (!instruction.data) return false
+  const reqs = TOKEN_INSTRUCTION_REQUIREMENTS[TOKEN_INSTRUCTION_LAYOUTS.Transfer.index]
+  if (!hasValidShape(instruction, reqs)) return false
   const buffer = toBuffer(instruction.data)
-  return buffer.length > 0 && buffer[0] === TOKEN_INSTRUCTION_LAYOUTS.Transfer.index
+  return buffer[0] === TOKEN_INSTRUCTION_LAYOUTS.Transfer.index
 }
 
 export function isTransferCheckedInstruction(instruction) {
   if (!isTokenProgramInstruction(instruction)) return false
-  if (!instruction.data) return false
+  const reqs = TOKEN_INSTRUCTION_REQUIREMENTS[TOKEN_INSTRUCTION_LAYOUTS.TransferChecked.index]
+  if (!hasValidShape(instruction, reqs)) return false
   const buffer = toBuffer(instruction.data)
-  return buffer.length > 0 && buffer[0] === TOKEN_INSTRUCTION_LAYOUTS.TransferChecked.index
+  return buffer[0] === TOKEN_INSTRUCTION_LAYOUTS.TransferChecked.index
 }
 
 export function isTransferCheckedWithFeeInstruction(instruction) {
   if (!isTokenProgramInstruction(instruction)) return false
-  if (!instruction.data) return false
+  const reqs = TOKEN_INSTRUCTION_REQUIREMENTS[TOKEN_INSTRUCTION_LAYOUTS.TransferFeeExtension.index]
+  if (!hasValidShape(instruction, reqs)) return false
   const buffer = toBuffer(instruction.data)
   return (
-    buffer.length >= 2 &&
     buffer[0] === TOKEN_INSTRUCTION_LAYOUTS.TransferFeeExtension.index &&
     buffer[1] === TRANSFER_FEE_SUB_INSTRUCTIONS.TransferCheckedWithFee
   )

package/src/tx/prepare-for-signing.js

@@ -1,3 +1,4 @@
+// eslint-disable-next-line @exodus/import/no-deprecated
 import { isNumberUnit } from '@exodus/currency'
 import { VersionedTransaction } from '@exodus/solana-web3.js'
 import BN from 'bn.js'
@@ -55,11 +56,13 @@ export function prepareForSigning(unsignedTx, { checkBalances = true } = {}) {
     const address = from
 
     const amount = unitAmount
-      ? new BN(isNumberUnit(unitAmount) ? unitAmount.toBaseString() : unitAmount).toString()
+      ? // eslint-disable-next-line @exodus/import/no-deprecated
+        new BN(isNumberUnit(unitAmount) ? unitAmount.toBaseString() : unitAmount).toString()
       : unitAmount
 
     const fee = feeAmount
-      ? new BN(isNumberUnit(feeAmount) ? feeAmount.toBaseString() : feeAmount).toNumber()
+      ? // eslint-disable-next-line @exodus/import/no-deprecated
+        new BN(isNumberUnit(feeAmount) ? feeAmount.toBaseString() : feeAmount).toNumber()
       : feeAmount
 
     const txData = { ...unsignedTx.txData, address, amount, fee }

package/src/vendor/publickey.js

@@ -1,5 +1,7 @@
 import { typedView } from '@exodus/bytes/array.js'
+// eslint-disable-next-line @exodus/import/no-deprecated
 import { edwardsToMontgomeryPublicSync } from '@exodus/crypto/curve25519'
+// eslint-disable-next-line @exodus/import/no-deprecated
 import { hashSync } from '@exodus/crypto/hash'
 import BN from 'bn.js'
 import bs58 from 'bs58'
@@ -121,6 +123,7 @@ export class PublicKey {
       Buffer.from(seed),
       programId.toBuffer(),
     ])
+    // eslint-disable-next-line @exodus/import/no-deprecated
     const hash = hashSync('sha256', buffer)
     return new PublicKey(hash)
   }
@@ -138,6 +141,7 @@ export class PublicKey {
       buffer = Buffer.concat([buffer, Buffer.from(seed)])
     })
     buffer = Buffer.concat([buffer, programId.toBuffer(), Buffer.from('ProgramDerivedAddress')])
+    // eslint-disable-next-line @exodus/import/no-deprecated
     const hash = hashSync('sha256', buffer, 'hex')
     const publicKeyBytes = new BN(hash, 16).toArray(null, 32)
     if (isOnCurve(publicKeyBytes)) {
@@ -152,6 +156,7 @@ export class PublicKey {
 function isOnCurve(p) {
   try {
     // This tries to parse edwards public key and validates it
+    // eslint-disable-next-line @exodus/import/no-deprecated
     edwardsToMontgomeryPublicSync({ publicKey: Uint8Array.from(p) })
     return true
   } catch {}

package/src/vendor/transaction.js

@@ -1,5 +1,6 @@
 // https://github.com/solana-labs/solana-web3.js/blob/master/src/transaction.js
 
+// eslint-disable-next-line @exodus/import/no-deprecated
 import { signDetachedSync, verifyDetachedSync } from '@exodus/crypto/curve25519'
 import bs58 from 'bs58'
 import invariant from 'minimalistic-assert'
@@ -436,6 +437,7 @@ export class Transaction {
 
     const signData = message.serialize()
     signers.forEach((signer) => {
+      // eslint-disable-next-line @exodus/import/no-deprecated
       const signature = signDetachedSync({ message: signData, privateKey: signer.privateKey })
       this.addSignature(signer.publicKey, signature)
     })
@@ -474,6 +476,7 @@ export class Transaction {
         }
       } else {
         if (
+          // eslint-disable-next-line @exodus/import/no-deprecated
           !verifyDetachedSync({ message: signData, signature, publicKey: publicKey.toBuffer() })
         ) {
           return false