fix: resolve Issue #5 Hardcoded Rent Calculation

onspeedhp · onspeedhp · commit 50bb5b7459af · 2026-02-06T21:14:15.000+07:00
- Replace hardcoded rent constants with Rent::minimum_balance(space) in manage_authority.rs
- Use Rent sysvar in all AddAuthority logic (program + tests)
- Update TEST_ISSUES.md
diff --git a/program/src/processor/manage_authority.rs b/program/src/processor/manage_authority.rs
@@ -5,6 +5,7 @@ use pinocchio::{
     instruction::Seed,
     program_error::ProgramError,
     pubkey::{find_program_address, Pubkey},
+    sysvars::rent::Rent,
     ProgramResult,
 };
 
@@ -141,6 +142,10 @@ pub fn process_add_authority(
     ) {
         return Err(ProgramError::IncorrectProgramId);
     }
+    let rent_sysvar_info = account_info_iter
+        .next()
+        .ok_or(ProgramError::NotEnoughAccountKeys)?;
+    let rent = Rent::from_account_info(rent_sysvar_info)?;
 
     // Check removed here, moved to type-specific logic
     // if !admin_auth_pda.is_writable() {
@@ -210,10 +215,7 @@ pub fn process_add_authority(
         full_auth_data.len()
     };
     let space = header_size + variable_size;
-    let rent = (space as u64)
-        .checked_mul(6960)
-        .and_then(|val| val.checked_add(897840))
-        .ok_or(ProgramError::ArithmeticOverflow)?;
+    let rent_lamports = rent.minimum_balance(space);
 
     // Use secure transfer-allocate-assign pattern to prevent DoS (Issue #4)
     let bump_arr = [bump];
@@ -229,7 +231,7 @@ pub fn process_add_authority(
         new_auth_pda,
         system_program,
         space,
-        rent,
+        rent_lamports,
         program_id,
         &seeds,
     )?;
diff --git a/tests-e2e/TEST_ISSUES.md b/tests-e2e/TEST_ISSUES.md
@@ -22,6 +22,14 @@
 **Status**: ✅ Fixed
 **Fix**: Removed unused owner keypair from transaction signing to match instruction accounts.
 
+### Issue #6 (DoS): System Program Create Account
+**Status**: ✅ Fixed
+**Fix**: Implemented Transfer-Allocate-Assign pattern in `utils.rs`. Verified by `dos_attack.rs`.
+
+### Issue #7 (Rent Calc): Hardcoded Rent
+**Status**: ✅ Fixed
+**Fix**: Replaced hardcoded rent calculations with `Rent::minimum_balance(space)` in `create_wallet.rs` and `manage_authority.rs`. Verified by tests.
+
 ## Current Status
 All E2E scenarios are PASSING.
 - Happy Path
diff --git a/tests-e2e/src/scenarios/cross_wallet_attacks.rs b/tests-e2e/src/scenarios/cross_wallet_attacks.rs
@@ -130,6 +130,7 @@ pub fn run(ctx: &mut TestContext) -> Result<()> {
             AccountMeta::new(owner_a_auth.to_address(), false), // Auth: Owner A (WRONG WALLET)
             AccountMeta::new(attacker_auth_b.to_address(), false),
             AccountMeta::new_readonly(solana_system_program::id().to_address(), false),
+            AccountMeta::new_readonly(solana_sysvar::rent::ID.to_address(), false),
             AccountMeta::new_readonly(Signer::pubkey(&owner_a).to_address(), true), // Owner A signing
         ],
         data: add_cross_data,
diff --git a/tests-e2e/src/scenarios/failures.rs b/tests-e2e/src/scenarios/failures.rs
@@ -160,6 +160,7 @@ pub fn run(ctx: &mut TestContext) -> Result<()> {
             AccountMeta::new_readonly(owner_auth_pda.to_address(), false), // auth
             AccountMeta::new(spender_auth_pda.to_address(), false),        // target
             AccountMeta::new_readonly(solana_system_program::id().to_address(), false),
+            AccountMeta::new_readonly(solana_sysvar::rent::ID.to_address(), false),
             AccountMeta::new_readonly(Signer::pubkey(&owner_keypair).to_address(), true), // signer
         ],
         data: add_spender_data,
@@ -201,6 +202,7 @@ pub fn run(ctx: &mut TestContext) -> Result<()> {
             AccountMeta::new_readonly(spender_auth_pda.to_address(), false), // Spender auth
             AccountMeta::new(bad_admin_pda.to_address(), false),             // Target (Bad admin)
             AccountMeta::new_readonly(solana_system_program::id().to_address(), false),
+            AccountMeta::new_readonly(solana_sysvar::rent::ID.to_address(), false),
             AccountMeta::new_readonly(Signer::pubkey(&spender_keypair).to_address(), true), // Signer
         ],
         data: malicious_add,
@@ -318,6 +320,7 @@ pub fn run(ctx: &mut TestContext) -> Result<()> {
             AccountMeta::new_readonly(owner_auth_pda.to_address(), false), // auth
             AccountMeta::new(admin_auth_pda.to_address(), false),          // target
             AccountMeta::new_readonly(solana_system_program::id().to_address(), false),
+            AccountMeta::new_readonly(solana_sysvar::rent::ID.to_address(), false),
             AccountMeta::new_readonly(Signer::pubkey(&owner_keypair).to_address(), true), // signer
         ],
         data: add_admin_data,
diff --git a/tests-e2e/src/scenarios/happy_path.rs b/tests-e2e/src/scenarios/happy_path.rs
@@ -167,6 +167,7 @@ pub fn run(ctx: &mut TestContext) -> Result<()> {
             AccountMeta::new_readonly(owner_auth_pda.to_address(), false),
             AccountMeta::new(secp_auth_pda.to_address(), false),
             AccountMeta::new_readonly(solana_system_program::id().to_address(), false),
+            AccountMeta::new_readonly(solana_sysvar::rent::ID.to_address(), false),
             AccountMeta::new_readonly(Signer::pubkey(&owner_keypair).to_address(), true),
         ],
         data: add_auth_data,
@@ -280,6 +281,7 @@ pub fn run(ctx: &mut TestContext) -> Result<()> {
             AccountMeta::new(owner_auth_pda.to_address(), false), // Current Owner
             AccountMeta::new(new_owner_pda.to_address(), false),  // New Owner
             AccountMeta::new_readonly(solana_system_program::id().to_address(), false),
+            AccountMeta::new_readonly(solana_sysvar::rent::ID.to_address(), false),
             AccountMeta::new_readonly(Signer::pubkey(&owner_keypair).to_address(), true),
         ],
         data: transfer_own_data,
