Skip to content

Commit 3d00ad7

Browse files
authored
p-token: Add clarifications from formal verification report (#155)
* Comment for I-02 * Comment for I-04 * Comment for I-06 and I-07 * Comment for I-08 * Comment for I-09 * Comment for I-10 * Comment for I-11 * Comment for I-12 * Fix formatting * Add syscall keyword
1 parent 46eaacd commit 3d00ad7

5 files changed

Lines changed: 90 additions & 2 deletions

File tree

pinocchio/interface/src/instruction.rs

Lines changed: 70 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,18 @@ pub enum TokenInstruction {
5353
/// Multisignature accounts can used in place of any single owner/delegate
5454
/// accounts in any token instruction that require an owner/delegate to be
5555
/// present. The variant field represents the number of signers (M)
56-
/// required to validate this multisignature account.
56+
/// required to validate this multisignature account. This number must be
57+
/// less than or equal to the number of signers provided in the accounts
58+
/// list, otherwise the multisignature account will be unusable.
59+
///
60+
/// Note that M is not validated to be less than or equal to the number of
61+
/// signers provided in the accounts list, so it is the caller's
62+
/// responsibility to ensure a valid M value is provided.
63+
///
64+
/// Duplicate signer accounts are not rejected. The caller must ensure each
65+
/// signer is unique and appears only once in the accounts list, otherwise
66+
/// a repeated signer can count more than once and effectively lower the
67+
/// configured M threshold.
5768
///
5869
/// The [`TokenInstruction::InitializeMultisig`] instruction requires no
5970
/// signers and MUST be included within the same Transaction as the
@@ -79,6 +90,9 @@ pub enum TokenInstruction {
7990
/// amounts of SOL and Tokens will be transferred to the destination
8091
/// account.
8192
///
93+
/// This instruction accepts multisignature accounts owned by either
94+
/// the Token or Token-2022 programs.
95+
///
8296
/// Accounts expected by this instruction:
8397
///
8498
/// * Single owner/delegate
@@ -100,6 +114,9 @@ pub enum TokenInstruction {
100114
/// Approves a delegate. A delegate is given the authority over tokens on
101115
/// behalf of the source account's owner.
102116
///
117+
/// This instruction accepts multisignature accounts owned by either
118+
/// the Token or Token-2022 programs.
119+
///
103120
/// Accounts expected by this instruction:
104121
///
105122
/// * Single owner
@@ -120,6 +137,11 @@ pub enum TokenInstruction {
120137

121138
/// Revokes the delegate's authority.
122139
///
140+
/// Note that a delegate can revoke its own delegation.
141+
///
142+
/// This instruction accepts multisignature accounts owned by either
143+
/// the Token or Token-2022 programs.
144+
///
123145
/// Accounts expected by this instruction:
124146
///
125147
/// * Single owner
@@ -137,6 +159,9 @@ pub enum TokenInstruction {
137159
/// Note that when setting a new account owner authority on a native
138160
/// token account, the current close authority (if any) will be removed.
139161
///
162+
/// This instruction accepts multisignature accounts owned by either
163+
/// the Token or Token-2022 programs.
164+
///
140165
/// Accounts expected by this instruction:
141166
///
142167
/// * Single authority
@@ -157,6 +182,9 @@ pub enum TokenInstruction {
157182
/// Mints new tokens to an account. The native mint does not support
158183
/// minting.
159184
///
185+
/// This instruction accepts multisignature accounts owned by either
186+
/// the Token or Token-2022 programs.
187+
///
160188
/// Accounts expected by this instruction:
161189
///
162190
/// * Single authority
@@ -178,6 +206,9 @@ pub enum TokenInstruction {
178206
/// Burns tokens by removing them from an account. `Burn` does not support
179207
/// accounts associated with the native mint, use `CloseAccount` instead.
180208
///
209+
/// This instruction accepts multisignature accounts owned by either
210+
/// the Token or Token-2022 programs.
211+
///
181212
/// Accounts expected by this instruction:
182213
///
183214
/// * Single owner/delegate
@@ -199,6 +230,9 @@ pub enum TokenInstruction {
199230
/// Close an account by transferring all its SOL to the destination account.
200231
/// Non-native accounts may only be closed if its token amount is zero.
201232
///
233+
/// This instruction accepts multisignature accounts owned by either
234+
/// the Token or Token-2022 programs.
235+
///
202236
/// Accounts expected by this instruction:
203237
///
204238
/// * Single owner
@@ -216,6 +250,9 @@ pub enum TokenInstruction {
216250
/// Freeze an Initialized account using the Mint's `freeze_authority` (if
217251
/// set).
218252
///
253+
/// This instruction accepts multisignature accounts owned by either
254+
/// the Token or Token-2022 programs.
255+
///
219256
/// Accounts expected by this instruction:
220257
///
221258
/// * Single owner
@@ -232,6 +269,9 @@ pub enum TokenInstruction {
232269

233270
/// Thaw a Frozen account using the Mint's `freeze_authority` (if set).
234271
///
272+
/// This instruction accepts multisignature accounts owned by either
273+
/// the Token or Token-2022 programs.
274+
///
235275
/// Accounts expected by this instruction:
236276
///
237277
/// * Single owner
@@ -255,6 +295,9 @@ pub enum TokenInstruction {
255295
/// decimals value is checked by the caller. This may be useful when
256296
/// creating transactions offline or within a hardware wallet.
257297
///
298+
/// This instruction accepts multisignature accounts owned by either
299+
/// the Token or Token-2022 programs.
300+
///
258301
/// Accounts expected by this instruction:
259302
///
260303
/// * Single owner/delegate
@@ -284,6 +327,9 @@ pub enum TokenInstruction {
284327
/// decimals value is checked by the caller. This may be useful when
285328
/// creating transactions offline or within a hardware wallet.
286329
///
330+
/// This instruction accepts multisignature accounts owned by either
331+
/// the Token or Token-2022 programs.
332+
///
287333
/// Accounts expected by this instruction:
288334
///
289335
/// * Single owner
@@ -313,6 +359,9 @@ pub enum TokenInstruction {
313359
/// decimals value is checked by the caller. This may be useful when
314360
/// creating transactions offline or within a hardware wallet.
315361
///
362+
/// This instruction accepts multisignature accounts owned by either
363+
/// the Token or Token-2022 programs.
364+
///
316365
/// Accounts expected by this instruction:
317366
///
318367
/// * Single authority
@@ -341,6 +390,9 @@ pub enum TokenInstruction {
341390
/// by the caller. This may be useful when creating transactions offline or
342391
/// within a hardware wallet.
343392
///
393+
/// This instruction accepts multisignature accounts owned by either
394+
/// the Token or Token-2022 programs.
395+
///
344396
/// Accounts expected by this instruction:
345397
///
346398
/// * Single owner/delegate
@@ -384,6 +436,11 @@ pub enum TokenInstruction {
384436
/// `system_instruction::transfer` to move lamports to a wrapped token
385437
/// account, and needs to have its token `amount` field updated.
386438
///
439+
/// The rent-exempt reserve is recomputed by the instruction using the Rent
440+
/// sysvar, retrieved either through the syscall or passed as an extra
441+
/// account. As a result, the token `amount` field value can increase or
442+
/// decrease according to the rent-exempt reserve requirement.
443+
///
387444
/// Accounts expected by this instruction:
388445
///
389446
/// * Using runtime Rent sysvar
@@ -455,7 +512,9 @@ pub enum TokenInstruction {
455512
/// before [`TokenInstruction::InitializeAccount`].
456513
///
457514
/// No-ops in this version of the program, but is included for compatibility
458-
/// with the Associated Token Account program.
515+
/// with the Associated Token Account program. Note that when the
516+
/// instruction is executed as part of a [`TokenInstruction::Batch`],
517+
/// the account must be owned by the Token program.
459518
///
460519
/// Accounts expected by this instruction:
461520
///
@@ -487,6 +546,9 @@ pub enum TokenInstruction {
487546
/// Return data can be fetched using `sol_get_return_data` and deserializing
488547
/// the return data as a little-endian `u64`.
489548
///
549+
/// Note that the length of `ui_amount` is limited to `257` digits
550+
/// (characters), including digits after the decimal point.
551+
///
490552
/// Accounts expected by this instruction:
491553
///
492554
/// 0. `[]` The mint to calculate for.
@@ -500,6 +562,9 @@ pub enum TokenInstruction {
500562
/// owned account by sending them to any other account, leaving behind only
501563
/// lamports for rent exemption.
502564
///
565+
/// This instruction accepts multisignature accounts owned by either
566+
/// the Token or Token-2022 programs.
567+
///
503568
/// Accounts expected by this instruction:
504569
///
505570
/// * Single owner/delegate
@@ -518,6 +583,9 @@ pub enum TokenInstruction {
518583
///
519584
/// This is useful to unwrap lamports from a wrapped SOL account.
520585
///
586+
/// This instruction accepts multisignature accounts owned by either
587+
/// the Token or Token-2022 programs.
588+
///
521589
/// Accounts expected by this instruction:
522590
///
523591
/// * Single owner/delegate

pinocchio/interface/src/state/account.rs

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,11 @@ pub const INCINERATOR_ID: Pubkey =
1515
const SYSTEM_PROGRAM_ID: Pubkey = pinocchio_pubkey::pubkey!("11111111111111111111111111111111");
1616

1717
/// Internal representation of a token account data.
18+
///
19+
/// Note that when loading an `Account` from bytes, this implementation does not
20+
/// check the validity of `COption` fields, since the trailing 3 bytes are
21+
/// ignored. As a result, it is possible to load an `Account` with invalid
22+
/// `COption` values.
1823
#[repr(C)]
1924
pub struct Account {
2025
/// The mint associated with this account

pinocchio/interface/src/state/mint.rs

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,11 @@ use {
44
};
55

66
/// Internal representation of a mint data.
7+
///
8+
/// Note that when loading a `Mint` from bytes, this implementation does not
9+
/// check the validity of `COption` fields, since the trailing 3 bytes are
10+
/// ignored. As a result, it is possible to load a `Mint` with invalid `COption`
11+
/// values.
712
#[repr(C)]
813
pub struct Mint {
914
/// Optional authority used to mint new tokens. The mint authority may only

pinocchio/interface/src/state/mod.rs

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,15 @@ pub mod mint;
99
pub mod multisig;
1010

1111
/// Type alias for fields represented as `COption`.
12+
///
13+
/// Note that only the first byte of the 4-byte array is used to
14+
/// represent the `Option` discriminant, while the remaining 3 bytes
15+
/// are padding to ensure alignment. The program does not modify
16+
/// these padding bytes and leaves them as `0`.
17+
///
18+
/// Reading a `COption` value with nonzero trailing padding bytes
19+
/// does not result in an error, since they are ignored in this
20+
/// implementation.
1221
pub type COption<T> = ([u8; 4], T);
1322

1423
/// Marker trait for types that can be cast from a raw pointer.

scripts/solana.dic

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,3 +50,4 @@ APY
5050
codama
5151
autogenerated
5252
sdk
53+
syscall

0 commit comments

Comments
 (0)