fix(asset-leasing): reject leased_mint == collateral_mint on create_lease

Edward (Edwardbot) · Edward (Edwardbot) · commit 28a715d37c2b · 2026-04-19T00:12:22.000Z
If both mints are the same SPL mint, the two vaults' PDA derivations still
collapse to different addresses (their seeds differ) but they hold the same
asset — rent streams out of the same token supply the lessee posted as
collateral, and the 'what do I owe vs what do I hold' invariant breaks.

Guard the case at the top of `handle_create_lease` with a new error,
`LeasedMintEqualsCollateralMint`. New litesvm test
`create_lease_rejects_same_mint_for_leased_and_collateral` verifies the
rejection using a handcrafted instruction that sets both mint fields to
the leased mint.

10 tests now pass (was 9).
diff --git a/defi/asset-leasing/anchor/programs/asset-leasing/src/errors.rs b/defi/asset-leasing/anchor/programs/asset-leasing/src/errors.rs
@@ -30,4 +30,6 @@ pub enum AssetLeasingError {
     MathOverflow,
     #[msg("Signer is not authorised for this action")]
     Unauthorised,
+    #[msg("Leased mint and collateral mint must be different")]
+    LeasedMintEqualsCollateralMint,
 }
diff --git a/defi/asset-leasing/anchor/programs/asset-leasing/src/instructions/create_lease.rs b/defi/asset-leasing/anchor/programs/asset-leasing/src/instructions/create_lease.rs
@@ -80,6 +80,16 @@ pub fn handle_create_lease(
     maintenance_margin_bps: u16,
     liquidation_bounty_bps: u16,
 ) -> Result<()> {
+    // Reject leased_mint == collateral_mint. Allowing both to be the same SPL
+    // mint would collapse the two vaults' seed derivations into one shared
+    // token-balance pool, making rent-vs-collateral accounting ambiguous and
+    // enabling griefing paths where the lessee's "collateral" is the same
+    // asset they already hold as the lease principal.
+    require!(
+        context.accounts.leased_mint.key() != context.accounts.collateral_mint.key(),
+        AssetLeasingError::LeasedMintEqualsCollateralMint
+    );
+
     require!(leased_amount > 0, AssetLeasingError::InvalidLeasedAmount);
     require!(
         required_collateral_amount > 0,
diff --git a/defi/asset-leasing/anchor/programs/asset-leasing/tests/test_asset_leasing.rs b/defi/asset-leasing/anchor/programs/asset-leasing/tests/test_asset_leasing.rs
@@ -878,3 +878,60 @@ fn close_expired_cancels_listed_lease() {
     assert!(sc.svm.get_account(&leased_vault).is_none());
     assert!(sc.svm.get_account(&collateral_vault).is_none());
 }
+
+#[test]
+fn create_lease_rejects_same_mint_for_leased_and_collateral() {
+    // Collapsing leased_mint and collateral_mint into a single SPL mint would
+    // also collapse the two vaults into one token-balance pool (same mint,
+    // same authority seed pattern) and make rent-vs-collateral accounting
+    // ambiguous. The program rejects this up-front with
+    // `LeasedMintEqualsCollateralMint`.
+    let mut sc = full_setup();
+    let lease_id = 42u64;
+
+    // Build a `create_lease` instruction where the collateral_mint field
+    // carries the same mint as leased_mint. We bypass `build_create_lease_ix`
+    // because that helper always wires the two mints from the scenario.
+    let (lease, leased_vault, collateral_vault) =
+        lease_pdas(&sc.program_id, &sc.lessor.pubkey(), lease_id);
+    let ix = Instruction::new_with_bytes(
+        sc.program_id,
+        &asset_leasing::instruction::CreateLease {
+            lease_id,
+            leased_amount: LEASED_AMOUNT,
+            required_collateral_amount: REQUIRED_COLLATERAL,
+            rent_per_second: RENT_PER_SECOND,
+            duration_seconds: DURATION_SECONDS,
+            maintenance_margin_bps: MAINTENANCE_MARGIN_BPS,
+            liquidation_bounty_bps: LIQUIDATION_BOUNTY_BPS,
+        }
+        .data(),
+        asset_leasing::accounts::CreateLease {
+            lessor: sc.lessor.pubkey(),
+            leased_mint: sc.leased_mint,
+            // Same mint on both sides — should be rejected.
+            collateral_mint: sc.leased_mint,
+            lessor_leased_account: sc.lessor_leased_ata,
+            lease,
+            leased_vault,
+            collateral_vault,
+            token_program: token_program_id(),
+            system_program: system_program::id(),
+        }
+        .to_account_metas(None),
+    );
+
+    let result = send_transaction_from_instructions(
+        &mut sc.svm,
+        vec![ix],
+        &[&sc.lessor],
+        &sc.lessor.pubkey(),
+    );
+
+    let err = result.expect_err("create_lease must reject identical leased/collateral mints");
+    let rendered = format!("{err:?}");
+    assert!(
+        rendered.contains("LeasedMintEqualsCollateralMint") || rendered.contains("0x177e"),
+        "unexpected failure mode: {rendered}"
+    );
+}

Original file line number	Diff line number	Diff line change
`@@ -30,4 +30,6 @@ pub enum AssetLeasingError {`
`30`	`30`	`MathOverflow,`
`31`	`31`	`#[msg("Signer is not authorised for this action")]`
`32`	`32`	`Unauthorised,`
	`33`	`+ #[msg("Leased mint and collateral mint must be different")]`
	`34`	`+ LeasedMintEqualsCollateralMint,`
`33`	`35`	`}`