fix(asset-leasing): pin Pyth feed_id on Lease and enforce at liquidate

Edward (Edwardbot) · Edward (Edwardbot) · commit 29f5e002c09a · 2026-04-19T00:15:02.000Z
The previous liquidate handler trusted whatever Pyth `PriceUpdateV2` the
keeper passed in, provided the account was owned by the Pyth receiver
program. A keeper could therefore substitute a completely unrelated feed
(e.g. a volatile pair that happened to be dipping) and force a spurious
liquidation against a healthy lease.

Changes
  * `Lease` gains `feed_id: [u8; 32]`, persisted at create_lease.
  * `create_lease` takes `feed_id` as a parameter (updates lib.rs).
  * `DecodedPriceUpdate` exposes `feed_id`; `decode_price_update`
    reads bytes 41..73 of the account data.
  * `handle_liquidate` compares decoded feed_id to `lease.feed_id`
    and returns `PriceFeedMismatch` on mismatch.
  * Test mock builder parameterises feed_id; all existing tests pin
    FEED_ID = [0xAB; 32] and hand the matching value to mock price
    updates.
  * New test `liquidate_rejects_mismatched_price_feed` confirms a
    foreign-feed price update is rejected even when the price would
    otherwise flag the position as underwater.

11 tests pass (was 10).
diff --git a/defi/asset-leasing/anchor/programs/asset-leasing/src/errors.rs b/defi/asset-leasing/anchor/programs/asset-leasing/src/errors.rs
@@ -32,4 +32,6 @@ pub enum AssetLeasingError {
     Unauthorised,
     #[msg("Leased mint and collateral mint must be different")]
     LeasedMintEqualsCollateralMint,
+    #[msg("Price update does not match the feed pinned on this lease")]
+    PriceFeedMismatch,
 }
diff --git a/defi/asset-leasing/anchor/programs/asset-leasing/src/instructions/create_lease.rs b/defi/asset-leasing/anchor/programs/asset-leasing/src/instructions/create_lease.rs
@@ -79,6 +79,7 @@ pub fn handle_create_lease(
     duration_seconds: i64,
     maintenance_margin_bps: u16,
     liquidation_bounty_bps: u16,
+    feed_id: [u8; 32],
 ) -> Result<()> {
     // Reject leased_mint == collateral_mint. Allowing both to be the same SPL
     // mint would collapse the two vaults' seed derivations into one shared
@@ -139,6 +140,7 @@ pub fn handle_create_lease(
         last_rent_paid_ts: 0,
         maintenance_margin_bps,
         liquidation_bounty_bps,
+        feed_id,
         status: LeaseStatus::Listed,
         bump: context.bumps.lease,
         leased_vault_bump: context.bumps.leased_vault,
diff --git a/defi/asset-leasing/anchor/programs/asset-leasing/src/instructions/liquidate.rs b/defi/asset-leasing/anchor/programs/asset-leasing/src/instructions/liquidate.rs
@@ -109,15 +109,17 @@ pub struct Liquidate<'info> {
 /// feed_id(32) | price(i64) | conf(u64) | exponent(i32) | publish_time(i64) |
 /// prev_publish_time(i64) | ema_price(i64) | ema_conf(u64) | posted_slot(u64)]`.
 pub struct DecodedPriceUpdate {
+    pub feed_id: [u8; 32],
     pub price: i64,
     pub exponent: i32,
     pub publish_time: i64,
 }
 
 pub fn decode_price_update(data: &[u8]) -> Result<DecodedPriceUpdate> {
-    // Discriminator (8) + write_authority (32) + verification_level (1) +
-    // feed_id (32) = 73 bytes before the fields we care about.
-    const PRICE_OFFSET: usize = 73;
+    // Discriminator (8) + write_authority (32) + verification_level (1) = 41.
+    const FEED_ID_OFFSET: usize = 41;
+    // feed_id (32) starts at 41, price i64 at 41 + 32 = 73.
+    const PRICE_OFFSET: usize = FEED_ID_OFFSET + 32;
     const EXPONENT_OFFSET: usize = PRICE_OFFSET + 8 + 8; // price + conf
     const PUBLISH_TIME_OFFSET: usize = EXPONENT_OFFSET + 4; // exponent
     const MIN_LEN: usize = PUBLISH_TIME_OFFSET + 8;
@@ -128,6 +130,9 @@ pub fn decode_price_update(data: &[u8]) -> Result<DecodedPriceUpdate> {
         AssetLeasingError::StalePrice
     );
 
+    let mut feed_id = [0u8; 32];
+    feed_id.copy_from_slice(&data[FEED_ID_OFFSET..FEED_ID_OFFSET + 32]);
+
     let price = i64::from_le_bytes(data[PRICE_OFFSET..PRICE_OFFSET + 8].try_into().unwrap());
     let exponent = i32::from_le_bytes(
         data[EXPONENT_OFFSET..EXPONENT_OFFSET + 4]
@@ -141,6 +146,7 @@ pub fn decode_price_update(data: &[u8]) -> Result<DecodedPriceUpdate> {
     );
 
     Ok(DecodedPriceUpdate {
+        feed_id,
         price,
         exponent,
         publish_time,
@@ -153,6 +159,16 @@ pub fn handle_liquidate(context: Context<Liquidate>) -> Result<()> {
     let decoded = decode_price_update(&price_data)?;
     drop(price_data);
 
+    // Feed pinning: reject any `PriceUpdateV2` whose feed_id does not match
+    // the one the lessor committed to at `create_lease`. Without this guard,
+    // a keeper could pass in any feed the Pyth Receiver program owns — e.g.
+    // a wildly volatile pair that dips enough to flag the position as
+    // underwater — and trigger a spurious liquidation.
+    require!(
+        decoded.feed_id == context.accounts.lease.feed_id,
+        AssetLeasingError::PriceFeedMismatch
+    );
+
     require!(
         is_underwater(&context.accounts.lease, &decoded, now)?,
         AssetLeasingError::PositionHealthy
diff --git a/defi/asset-leasing/anchor/programs/asset-leasing/src/lib.rs b/defi/asset-leasing/anchor/programs/asset-leasing/src/lib.rs
@@ -27,6 +27,7 @@ pub mod asset_leasing {
         duration_seconds: i64,
         maintenance_margin_bps: u16,
         liquidation_bounty_bps: u16,
+        feed_id: [u8; 32],
     ) -> Result<()> {
         instructions::create_lease::handle_create_lease(
             context,
@@ -37,6 +38,7 @@ pub mod asset_leasing {
             duration_seconds,
             maintenance_margin_bps,
             liquidation_bounty_bps,
+            feed_id,
         )
     }
 
diff --git a/defi/asset-leasing/anchor/programs/asset-leasing/src/state/lease.rs b/defi/asset-leasing/anchor/programs/asset-leasing/src/state/lease.rs
@@ -58,6 +58,13 @@ pub struct Lease {
     /// lease, expressed in basis points of `collateral_amount`.
     pub liquidation_bounty_bps: u16,
 
+    /// Pyth `PriceUpdateV2.feed_id` that this lease is pinned to. The
+    /// liquidation handler refuses price updates whose on-account `feed_id`
+    /// does not match this value, so a keeper cannot swap in an unrelated
+    /// feed (e.g. a cheaper or more volatile pair) to force a liquidation.
+    /// Chosen by the lessor at `create_lease`.
+    pub feed_id: [u8; 32],
+
     /// Current lifecycle state.
     pub status: LeaseStatus,
 
diff --git a/defi/asset-leasing/anchor/programs/asset-leasing/tests/test_asset_leasing.rs b/defi/asset-leasing/anchor/programs/asset-leasing/tests/test_asset_leasing.rs
@@ -171,6 +171,7 @@ fn build_create_lease_ix(
     duration_seconds: i64,
     maintenance_margin_bps: u16,
     liquidation_bounty_bps: u16,
+    feed_id: [u8; 32],
 ) -> Instruction {
     let (lease, leased_vault, collateral_vault) =
         lease_pdas(&sc.program_id, &sc.lessor.pubkey(), lease_id);
@@ -184,6 +185,7 @@ fn build_create_lease_ix(
             duration_seconds,
             maintenance_margin_bps,
             liquidation_bounty_bps,
+            feed_id,
         }
         .data(),
         asset_leasing::accounts::CreateLease {
@@ -349,7 +351,12 @@ fn build_close_expired_ix(sc: &Scenario, lease_id: u64) -> Instruction {
 /// Build a minimal `PriceUpdateV2` account body with the requested price and
 /// exponent, timestamped `publish_time`. Fields not used by the program are
 /// filled with zero bytes.
-fn build_price_update_data(price: i64, exponent: i32, publish_time: i64) -> Vec<u8> {
+fn build_price_update_data(
+    feed_id: [u8; 32],
+    price: i64,
+    exponent: i32,
+    publish_time: i64,
+) -> Vec<u8> {
     // Size layout:
     // 8 disc + 32 write_authority + 1 verification_level + 32 feed_id +
     // 8 price + 8 conf + 4 exponent + 8 publish_time + 8 prev_publish_time +
@@ -361,8 +368,7 @@ fn build_price_update_data(price: i64, exponent: i32, publish_time: i64) -> Vec<
     data.extend_from_slice(&[0u8; 32]);
     // verification_level = Full (1).
     data.push(1);
-    // feed_id — arbitrary; not checked by the program.
-    data.extend_from_slice(&[0xAB; 32]);
+    data.extend_from_slice(&feed_id);
     data.extend_from_slice(&price.to_le_bytes());
     data.extend_from_slice(&0u64.to_le_bytes()); // conf
     data.extend_from_slice(&exponent.to_le_bytes());
@@ -378,11 +384,12 @@ fn build_price_update_data(price: i64, exponent: i32, publish_time: i64) -> Vec<
 fn mock_price_update(
     svm: &mut LiteSVM,
     address: Pubkey,
+    feed_id: [u8; 32],
     price: i64,
     exponent: i32,
     publish_time: i64,
 ) {
-    let data = build_price_update_data(price, exponent, publish_time);
+    let data = build_price_update_data(feed_id, price, exponent, publish_time);
     let lamports = svm.minimum_balance_for_rent_exemption(data.len());
     let owner: Pubkey = PYTH_RECEIVER_PROGRAM_ID_STR.parse().unwrap();
     svm.set_account(
@@ -409,6 +416,11 @@ const RENT_PER_SECOND: u64 = 10; // 10 base-units / sec
 const DURATION_SECONDS: i64 = 60 * 60 * 24; // 24h
 const MAINTENANCE_MARGIN_BPS: u16 = 12_000; // 120%
 const LIQUIDATION_BOUNTY_BPS: u16 = 500; // 5%
+// Arbitrary 32-byte Pyth feed id the tests pin their leases to. The
+// mocked `PriceUpdateV2` accounts carry the same id so the feed-pinning
+// check in liquidate passes. `liquidate_rejects_mismatched_price_feed`
+// flips one byte of this to prove the check rejects foreign feeds.
+const FEED_ID: [u8; 32] = [0xAB; 32];
 
 #[test]
 fn create_lease_locks_tokens_and_lists() {
@@ -424,6 +436,7 @@ fn create_lease_locks_tokens_and_lists() {
         DURATION_SECONDS,
         MAINTENANCE_MARGIN_BPS,
         LIQUIDATION_BOUNTY_BPS,
+        FEED_ID,
     );
     send_transaction_from_instructions(&mut sc.svm, vec![ix], &[&sc.lessor], &sc.lessor.pubkey())
         .unwrap();
@@ -467,6 +480,7 @@ fn take_lease_posts_collateral_and_delivers_tokens() {
         DURATION_SECONDS,
         MAINTENANCE_MARGIN_BPS,
         LIQUIDATION_BOUNTY_BPS,
+        FEED_ID,
     );
     send_transaction_from_instructions(
         &mut sc.svm,
@@ -520,6 +534,7 @@ fn pay_rent_streams_collateral_by_elapsed_time() {
         DURATION_SECONDS,
         MAINTENANCE_MARGIN_BPS,
         LIQUIDATION_BOUNTY_BPS,
+        FEED_ID,
     );
     let take_ix = build_take_lease_ix(&sc, lease_id);
     send_transaction_from_instructions(
@@ -569,6 +584,7 @@ fn top_up_collateral_increases_vault_balance() {
         DURATION_SECONDS,
         MAINTENANCE_MARGIN_BPS,
         LIQUIDATION_BOUNTY_BPS,
+        FEED_ID,
     );
     let take_ix = build_take_lease_ix(&sc, lease_id);
     send_transaction_from_instructions(
@@ -610,6 +626,7 @@ fn return_lease_refunds_unused_collateral() {
         DURATION_SECONDS,
         MAINTENANCE_MARGIN_BPS,
         LIQUIDATION_BOUNTY_BPS,
+        FEED_ID,
     );
     let take_ix = build_take_lease_ix(&sc, lease_id);
     send_transaction_from_instructions(
@@ -675,6 +692,7 @@ fn liquidate_seizes_collateral_on_price_drop() {
         DURATION_SECONDS,
         MAINTENANCE_MARGIN_BPS,
         LIQUIDATION_BOUNTY_BPS,
+        FEED_ID,
     );
     let take_ix = build_take_lease_ix(&sc, lease_id);
     send_transaction_from_instructions(
@@ -698,6 +716,7 @@ fn liquidate_seizes_collateral_on_price_drop() {
     mock_price_update(
         &mut sc.svm,
         price_update_key.pubkey(),
+        FEED_ID,
         4,
         0,
         now, // fresh publish_time
@@ -751,6 +770,7 @@ fn liquidate_rejects_healthy_position() {
         DURATION_SECONDS,
         MAINTENANCE_MARGIN_BPS,
         LIQUIDATION_BOUNTY_BPS,
+        FEED_ID,
     );
     let take_ix = build_take_lease_ix(&sc, lease_id);
     send_transaction_from_instructions(
@@ -766,7 +786,7 @@ fn liquidate_rejects_healthy_position() {
     // to fail with `PositionHealthy`.
     let price_update_key = Keypair::new();
     let now = current_clock(&sc.svm);
-    mock_price_update(&mut sc.svm, price_update_key.pubkey(), 1, 0, now);
+    mock_price_update(&mut sc.svm, price_update_key.pubkey(), FEED_ID, 1, 0, now);
 
     let liq_ix = build_liquidate_ix(&sc, lease_id, price_update_key.pubkey());
     let result = send_transaction_from_instructions(
@@ -778,6 +798,68 @@ fn liquidate_rejects_healthy_position() {
     assert!(result.is_err(), "healthy liquidation must fail");
 }
 
+#[test]
+fn liquidate_rejects_mismatched_price_feed() {
+    // The lessor pinned FEED_ID; we hand the handler a price update whose
+    // internal feed_id is different. Even when the price would push the
+    // position underwater, the liquidate call must bail with
+    // `PriceFeedMismatch` before running the undercollateralisation check.
+    let mut sc = full_setup();
+    let lease_id = 100u64;
+
+    let create_ix = build_create_lease_ix(
+        &sc,
+        lease_id,
+        LEASED_AMOUNT,
+        REQUIRED_COLLATERAL,
+        RENT_PER_SECOND,
+        DURATION_SECONDS,
+        MAINTENANCE_MARGIN_BPS,
+        LIQUIDATION_BOUNTY_BPS,
+        FEED_ID,
+    );
+    let take_ix = build_take_lease_ix(&sc, lease_id);
+    send_transaction_from_instructions(
+        &mut sc.svm,
+        vec![create_ix, take_ix],
+        &[&sc.lessor, &sc.lessee],
+        &sc.lessor.pubkey(),
+    )
+    .unwrap();
+
+    // Flip every byte — any 32-byte feed id other than FEED_ID should do.
+    let wrong_feed_id = [0xCD; 32];
+
+    // Price that *would* trigger liquidation (debt 400 vs 200 collateral,
+    // same as `liquidate_seizes_collateral_on_price_drop`) — except this
+    // update carries the wrong feed id.
+    let price_update_key = Keypair::new();
+    let now = current_clock(&sc.svm);
+    mock_price_update(
+        &mut sc.svm,
+        price_update_key.pubkey(),
+        wrong_feed_id,
+        4,
+        0,
+        now,
+    );
+
+    let liq_ix = build_liquidate_ix(&sc, lease_id, price_update_key.pubkey());
+    let result = send_transaction_from_instructions(
+        &mut sc.svm,
+        vec![liq_ix],
+        &[&sc.keeper],
+        &sc.keeper.pubkey(),
+    );
+    let err = result.expect_err("liquidate must reject foreign price feeds");
+    let rendered = format!("{err:?}");
+    // PriceFeedMismatch is the 16th error in the enum (index 15) → 0x177f.
+    assert!(
+        rendered.contains("PriceFeedMismatch") || rendered.contains("0x177f"),
+        "unexpected failure mode: {rendered}"
+    );
+}
+
 #[test]
 fn close_expired_reclaims_collateral_after_end_ts() {
     let mut sc = full_setup();
@@ -792,6 +874,7 @@ fn close_expired_reclaims_collateral_after_end_ts() {
         DURATION_SECONDS,
         MAINTENANCE_MARGIN_BPS,
         LIQUIDATION_BOUNTY_BPS,
+        FEED_ID,
     );
     let take_ix = build_take_lease_ix(&sc, lease_id);
     send_transaction_from_instructions(
@@ -848,6 +931,7 @@ fn close_expired_cancels_listed_lease() {
         DURATION_SECONDS,
         MAINTENANCE_MARGIN_BPS,
         LIQUIDATION_BOUNTY_BPS,
+        FEED_ID,
     );
     send_transaction_from_instructions(
         &mut sc.svm,
@@ -904,6 +988,7 @@ fn create_lease_rejects_same_mint_for_leased_and_collateral() {
             duration_seconds: DURATION_SECONDS,
             maintenance_margin_bps: MAINTENANCE_MARGIN_BPS,
             liquidation_bounty_bps: LIQUIDATION_BOUNTY_BPS,
+            feed_id: FEED_ID,
         }
         .data(),
         asset_leasing::accounts::CreateLease {

Original file line number	Diff line number	Diff line change
`@@ -32,4 +32,6 @@ pub enum AssetLeasingError {`
`32`	`32`	`Unauthorised,`
`33`	`33`	`#[msg("Leased mint and collateral mint must be different")]`
`34`	`34`	`LeasedMintEqualsCollateralMint,`
	`35`	`+ #[msg("Price update does not match the feed pinned on this lease")]`
	`36`	`+ PriceFeedMismatch,`
`35`	`37`	`}`
Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,7 @@ pub mod asset_leasing {`
`27`	`27`	`duration_seconds: i64,`
`28`	`28`	`maintenance_margin_bps: u16,`
`29`	`29`	`liquidation_bounty_bps: u16,`
	`30`	`+ feed_id: [u8; 32],`
`30`	`31`	`) -> Result<()> {`
`31`	`32`	`instructions::create_lease::handle_create_lease(`
`32`	`33`	`context,`
`@@ -37,6 +38,7 @@ pub mod asset_leasing {`
`37`	`38`	`duration_seconds,`
`38`	`39`	`maintenance_margin_bps,`
`39`	`40`	`liquidation_bounty_bps,`
	`41`	`+ feed_id,`
`40`	`42`	`)`
`41`	`43`	`}`
`42`	`44`