fix(svm): M-01 Deposit Tokens Transferred from Depositor Token Account Instead of Signer (#971)

* fix(svm): M-01 Deposit Tokens Transfers

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* feat: use unchecked account

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* feat: remove system acc

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix: deposit tests

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix: fill tests

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* refactor: rename and comments

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix: across plus

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix(svm): pin rust toolchain for solana (#960)

* fix(svm): pin rust toolchain for solana

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: add local toolchain

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: add rustfmt to nightly

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: pin nightly in lint scripts

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

---------

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* refactor: rename and organize function

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* feat: update deposit delegate seed

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* feat: use relay_hash from function arguments

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix: heap memory error

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* refactor: cleanup

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix: deposit checks

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix: fill tests

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix: fill relay delagate

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>

* fix: fill

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* refactor: simplify

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* refactor: cleanup

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* test: update fill tests

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* refactor: comments

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* fix: scripts

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* refactor: make seed structs private

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* feat: add missing params to deposit hashes

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* refactor: simplify

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* refactor: delegate utils

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* refactor: anchor serialize

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* refactor: reuse helper deriveSeedHash

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* fix: move paused fills check in handler

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* feat: improvements

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* fix: remove program_id from transfer_from params

Signed-off-by: Reinis Martinsons <reinis@umaproject.org>

* fix: fill import

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

* fix: tests

Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>

---------

Signed-off-by: Pablo Maldonado <pablo@umaproject.org>
Signed-off-by: Reinis Martinsons <reinis@umaproject.org>
Signed-off-by: Pablo Maldonado <pablomaldonadoturci@gmail.com>
Co-authored-by: Reinis Martinsons <77973553+Reinis-FRP@users.noreply.github.com>
Co-authored-by: Reinis Martinsons <reinis@umaproject.org>

Author: md0x

programs/svm-spoke/src/error.rs

@@ -5,7 +5,7 @@ use anchor_lang::prelude::*;
 pub enum CommonError {
     #[msg("Invalid quote timestamp!")]
     InvalidQuoteTimestamp,
-    #[msg("Ivalid fill deadline!")]
+    #[msg("Invalid fill deadline!")]
     InvalidFillDeadline,
     #[msg("Caller is not the exclusive relayer and exclusivity deadline has not passed!")]
     NotExclusiveRelayer,
@@ -72,6 +72,8 @@ pub enum SvmError {
     InvalidProductionSeed,
     #[msg("Invalid remaining accounts for ATA creation!")]
     InvalidATACreationAccounts,
+    #[msg("Invalid delegate PDA!")]
+    InvalidDelegatePda,
 }
 
 // CCTP specific errors.

programs/svm-spoke/src/instructions/deposit.rs

@@ -11,7 +11,9 @@ use crate::{
     error::{CommonError, SvmError},
     event::FundsDeposited,
     state::State,
-    utils::{get_current_time, get_unsafe_deposit_id, transfer_from},
+    utils::{
+        derive_seed_hash, get_current_time, get_unsafe_deposit_id, transfer_from, DepositNowSeedData, DepositSeedData,
+    },
 };
 
 #[event_cpi]
@@ -23,7 +25,7 @@ use crate::{
     output_token: Pubkey,
     input_amount: u64,
     output_amount: u64,
-    destination_chain_id: u64,
+    destination_chain_id: u64
 )]
 pub struct Deposit<'info> {
     #[account(mut)]
@@ -36,6 +38,9 @@ pub struct Deposit<'info> {
     )]
     pub state: Account<'info, State>,
 
+    /// CHECK: PDA derived with seeds ["delegate", seed_hash]; used as a CPI signer.
+    pub delegate: UncheckedAccount<'info>,
+
     #[account(
         mut,
         associated_token::mint = mint,
@@ -76,15 +81,14 @@ pub fn _deposit(
     fill_deadline: u32,
     exclusivity_parameter: u32,
     message: Vec<u8>,
+    delegate_seed_hash: [u8; 32],
 ) -> Result<()> {
     let state = &mut ctx.accounts.state;
-
     let current_time = get_current_time(state)?;
 
     if current_time.checked_sub(quote_timestamp).unwrap_or(u32::MAX) > state.deposit_quote_time_buffer {
         return err!(CommonError::InvalidQuoteTimestamp);
     }
-
     if fill_deadline > current_time + state.fill_deadline_buffer {
         return err!(CommonError::InvalidFillDeadline);
     }
@@ -94,21 +98,20 @@ pub fn _deposit(
         if exclusivity_deadline <= MAX_EXCLUSIVITY_PERIOD_SECONDS {
             exclusivity_deadline += current_time;
         }
-
         if exclusive_relayer == Pubkey::default() {
             return err!(CommonError::InvalidExclusiveRelayer);
         }
     }
 
-    // Depositor must have delegated input_amount to the state PDA.
+    // Depositor must have delegated input_amount to the delegate PDA
     transfer_from(
         &ctx.accounts.depositor_token_account,
         &ctx.accounts.vault,
         input_amount,
-        state,
-        ctx.bumps.state,
+        &ctx.accounts.delegate,
         &ctx.accounts.mint,
         &ctx.accounts.token_program,
+        delegate_seed_hash,
     )?;
 
     let mut applied_deposit_id = deposit_id;
@@ -152,6 +155,22 @@ pub fn deposit(
     exclusivity_parameter: u32,
     message: Vec<u8>,
 ) -> Result<()> {
+    let seed_hash = derive_seed_hash(
+        &(DepositSeedData {
+            depositor,
+            recipient,
+            input_token,
+            output_token,
+            input_amount,
+            output_amount,
+            destination_chain_id,
+            exclusive_relayer,
+            quote_timestamp,
+            fill_deadline,
+            exclusivity_parameter,
+            message: &message,
+        }),
+    );
     _deposit(
         ctx,
         depositor,
@@ -167,6 +186,7 @@ pub fn deposit(
         fill_deadline,
         exclusivity_parameter,
         message,
+        seed_hash,
     )?;
 
     Ok(())
@@ -188,7 +208,22 @@ pub fn deposit_now(
 ) -> Result<()> {
     let state = &mut ctx.accounts.state;
     let current_time = get_current_time(state)?;
-    deposit(
+    let seed_hash = derive_seed_hash(
+        &(DepositNowSeedData {
+            depositor,
+            recipient,
+            input_token,
+            output_token,
+            input_amount,
+            output_amount,
+            destination_chain_id,
+            exclusive_relayer,
+            fill_deadline_offset,
+            exclusivity_period,
+            message: &message,
+        }),
+    );
+    _deposit(
         ctx,
         depositor,
         recipient,
@@ -198,10 +233,12 @@ pub fn deposit_now(
         output_amount,
         destination_chain_id,
         exclusive_relayer,
+        ZERO_DEPOSIT_ID, // ZERO_DEPOSIT_ID informs internal function to use state.number_of_deposits as id.
         current_time,
         current_time + fill_deadline_offset,
         exclusivity_period,
         message,
+        seed_hash,
     )?;
 
     Ok(())
@@ -225,6 +262,22 @@ pub fn unsafe_deposit(
 ) -> Result<()> {
     // Calculate the unsafe deposit ID as a [u8; 32]
     let deposit_id = get_unsafe_deposit_id(ctx.accounts.signer.key(), depositor, deposit_nonce);
+    let seed_hash = derive_seed_hash(
+        &(DepositSeedData {
+            depositor,
+            recipient,
+            input_token,
+            output_token,
+            input_amount,
+            output_amount,
+            destination_chain_id,
+            exclusive_relayer,
+            quote_timestamp,
+            fill_deadline,
+            exclusivity_parameter,
+            message: &message,
+        }),
+    );
     _deposit(
         ctx,
         depositor,
@@ -240,6 +293,7 @@ pub fn unsafe_deposit(
         fill_deadline,
         exclusivity_parameter,
         message,
+        seed_hash,
     )?;
 
     Ok(())

programs/svm-spoke/src/instructions/fill.rs

@@ -11,7 +11,7 @@ use crate::{
     error::{CommonError, SvmError},
     event::{FillType, FilledRelay, RelayExecutionEventInfo},
     state::{FillRelayParams, FillStatus, FillStatusAccount, State},
-    utils::{get_current_time, hash_non_empty_message, invoke_handler, transfer_from},
+    utils::{derive_seed_hash, get_current_time, hash_non_empty_message, invoke_handler, transfer_from, FillSeedData},
 };
 
 #[event_cpi]
@@ -25,13 +25,12 @@ pub struct FillRelay<'info> {
     #[account(mut, seeds = [b"instruction_params", signer.key().as_ref()], bump, close = signer)]
     pub instruction_params: Option<Account<'info, FillRelayParams>>,
 
-    #[account(
-        seeds = [b"state", state.seed.to_le_bytes().as_ref()],
-        bump,
-        constraint = !state.paused_fills @ CommonError::FillsArePaused
-    )]
+    #[account(seeds = [b"state", state.seed.to_le_bytes().as_ref()], bump)]
     pub state: Account<'info, State>,
 
+    /// CHECK: PDA derived with seeds ["delegate", seed_hash]; used as a CPI signer.
+    pub delegate: UncheckedAccount<'info>,
+
     #[account(
         mint::token_program = token_program,
         address = relay_data
@@ -81,10 +80,15 @@ pub struct FillRelay<'info> {
 
 pub fn fill_relay<'info>(
     ctx: Context<'_, '_, '_, 'info, FillRelay<'info>>,
+    relay_hash: [u8; 32],
     relay_data: Option<RelayData>,
     repayment_chain_id: Option<u64>,
     repayment_address: Option<Pubkey>,
 ) -> Result<()> {
+    // This type of constraint normally would be checked in the context, but had to move it here in the handler to avoid
+    // exceeding maximum stack offset.
+    require!(!ctx.accounts.state.paused_fills, CommonError::FillsArePaused);
+
     let FillRelayParams { relay_data, repayment_chain_id, repayment_address } =
         unwrap_fill_relay_params(relay_data, repayment_chain_id, repayment_address, &ctx.accounts.instruction_params);
 
@@ -114,15 +118,17 @@ pub fn fill_relay<'info>(
         _ => FillType::FastFill,
     };
 
-    // Relayer must have delegated output_amount to the state PDA
+    let seed_hash = derive_seed_hash(&(FillSeedData { relay_hash, repayment_chain_id, repayment_address }));
+
+    // Relayer must have delegated output_amount to the delegate PDA
     transfer_from(
         &ctx.accounts.relayer_token_account,
         &ctx.accounts.recipient_token_account,
         relay_data.output_amount,
-        state,
-        ctx.bumps.state,
+        &ctx.accounts.delegate,
         &ctx.accounts.mint,
         &ctx.accounts.token_program,
+        seed_hash,
     )?;
 
     // Update the fill status to Filled, set the relayer and fill deadline

programs/svm-spoke/src/lib.rs

@@ -205,6 +205,7 @@ pub mod svm_spoke {
     ///   Authority must be the state.
     /// - mint (Account): The mint account for the input token.
     /// - token_program (Interface): The token program.
+    /// - delegate (Account): The account used to delegate the input amount of the input token.
     ///
     /// ### Parameters
     /// - depositor: The account credited with the deposit. Can be different from the signer.
@@ -377,9 +378,10 @@ pub mod svm_spoke {
     /// - token_program (Interface): The token program.
     /// - associated_token_program (Interface): The associated token program.
     /// - system_program (Interface): The system program.
+    /// - delegate (Account): The account used to delegate the output amount of the output token.
     ///
     /// ### Parameters:
-    /// - _relay_hash: The hash identifying the deposit to be filled. Caller must pass this in. Computed as hash of
+    /// - relay_hash: The hash identifying the deposit to be filled. Caller must pass this in. Computed as hash of
     ///   the flattened relay_data & destination_chain_id.
     /// - relay_data: Struct containing all the data needed to identify the deposit to be filled. Should match
     ///   all the same-named parameters emitted in the origin chain FundsDeposited event.
@@ -406,12 +408,12 @@ pub mod svm_spoke {
     /// is passed, the caller must load them via the instruction_params account.
     pub fn fill_relay<'info>(
         ctx: Context<'_, '_, '_, 'info, FillRelay<'info>>,
-        _relay_hash: [u8; 32],
+        relay_hash: [u8; 32],
         relay_data: Option<RelayData>,
         repayment_chain_id: Option<u64>,
         repayment_address: Option<Pubkey>,
     ) -> Result<()> {
-        instructions::fill_relay(ctx, relay_data, repayment_chain_id, repayment_address)
+        instructions::fill_relay(ctx, relay_hash, relay_data, repayment_chain_id, repayment_address)
     }
 
     /// Closes the FillStatusAccount PDA to reclaim relayer rent.

programs/svm-spoke/src/utils/delegate_utils.rs

@@ -0,0 +1,45 @@
+use anchor_lang::{prelude::*, solana_program::keccak};
+
+pub fn derive_seed_hash<T: AnchorSerialize>(seed: &T) -> [u8; 32] {
+    let mut data = Vec::new();
+    AnchorSerialize::serialize(seed, &mut data).unwrap();
+    keccak::hash(&data).to_bytes()
+}
+
+#[derive(AnchorSerialize)]
+pub struct DepositSeedData<'a> {
+    pub depositor: Pubkey,
+    pub recipient: Pubkey,
+    pub input_token: Pubkey,
+    pub output_token: Pubkey,
+    pub input_amount: u64,
+    pub output_amount: u64,
+    pub destination_chain_id: u64,
+    pub exclusive_relayer: Pubkey,
+    pub quote_timestamp: u32,
+    pub fill_deadline: u32,
+    pub exclusivity_parameter: u32,
+    pub message: &'a Vec<u8>,
+}
+
+#[derive(AnchorSerialize)]
+pub struct DepositNowSeedData<'a> {
+    pub depositor: Pubkey,
+    pub recipient: Pubkey,
+    pub input_token: Pubkey,
+    pub output_token: Pubkey,
+    pub input_amount: u64,
+    pub output_amount: u64,
+    pub destination_chain_id: u64,
+    pub exclusive_relayer: Pubkey,
+    pub fill_deadline_offset: u32,
+    pub exclusivity_period: u32,
+    pub message: &'a Vec<u8>,
+}
+
+#[derive(AnchorSerialize)]
+pub struct FillSeedData {
+    pub relay_hash: [u8; 32],
+    pub repayment_chain_id: u64,
+    pub repayment_address: Pubkey,
+}

programs/svm-spoke/src/utils/mod.rs

@@ -1,5 +1,6 @@
 pub mod bitmap_utils;
 pub mod cctp_utils;
+pub mod delegate_utils;
 pub mod deposit_utils;
 pub mod merkle_proof_utils;
 pub mod message_utils;
@@ -8,6 +9,7 @@ pub mod transfer_utils;
 
 pub use bitmap_utils::*;
 pub use cctp_utils::*;
+pub use delegate_utils::*;
 pub use deposit_utils::*;
 pub use merkle_proof_utils::*;
 pub use message_utils::*;

programs/svm-spoke/src/utils/transfer_utils.rs

@@ -1,28 +1,28 @@
+use crate::{error::SvmError, program::SvmSpoke};
 use anchor_lang::prelude::*;
 use anchor_spl::token_interface::{transfer_checked, Mint, TokenAccount, TokenInterface, TransferChecked};
 
-use crate::State;
-
 pub fn transfer_from<'info>(
     from: &InterfaceAccount<'info, TokenAccount>,
     to: &InterfaceAccount<'info, TokenAccount>,
     amount: u64,
-    state: &Account<'info, State>,
-    state_bump: u8,
+    delegate: &UncheckedAccount<'info>,
     mint: &InterfaceAccount<'info, Mint>,
     token_program: &Interface<'info, TokenInterface>,
+    delegate_seed_hash: [u8; 32],
 ) -> Result<()> {
+    let (pda, bump) = Pubkey::find_program_address(&[b"delegate", &delegate_seed_hash], &SvmSpoke::id());
+    if pda != delegate.key() {
+        return err!(SvmError::InvalidDelegatePda);
+    }
+    let seeds: &[&[u8]] = &[b"delegate".as_ref(), &delegate_seed_hash, &[bump]];
+    let signer_seeds: &[&[&[u8]]] = &[seeds];
     let transfer_accounts = TransferChecked {
         from: from.to_account_info(),
         mint: mint.to_account_info(),
         to: to.to_account_info(),
-        authority: state.to_account_info(),
+        authority: delegate.to_account_info(),
     };
-
-    let state_seed_bytes = state.seed.to_le_bytes();
-    let seeds = &[b"state", state_seed_bytes.as_ref(), &[state_bump]];
-    let signer_seeds = &[&seeds[..]];
-
     let cpi_context = CpiContext::new_with_signer(token_program.to_account_info(), transfer_accounts, signer_seeds);
 
     transfer_checked(cpi_context, amount, mint.decimals)