solana: harden missing token account checks (#188)

Co-authored-by: A5 Pickle <a5-pickle@users.noreply.github.com>

Author: a5-pickle

solana/programs/matching-engine/src/composite/mod.rs

@@ -384,9 +384,12 @@ pub struct ExecuteOrder<'info> {
     )]
     pub active_auction: ActiveAuction<'info>,
 
-    /// CHECK: Must be a token account, whose mint is [common::USDC_MINT].
-    #[account(mut)]
-    pub executor_token: UncheckedAccount<'info>,
+    /// Must be a token account, whose mint is [common::USDC_MINT].
+    #[account(
+        mut,
+        token::mint = common::USDC_MINT,
+    )]
+    pub executor_token: Box<Account<'info, token::TokenAccount>>,
 
     /// CHECK: Mutable. Must equal [initial_offer](Auction::initial_offer).
     #[account(

solana/programs/matching-engine/src/processor/auction/execute_fast_order/mod.rs

@@ -111,20 +111,21 @@ fn prepare_order_execution<'info>(
 
         // If the initial offer token account doesn't exist anymore, we have nowhere to send the
         // init auction fee. The executor will get these funds instead.
-        if !initial_offer_token.data_is_empty() {
-            // Deserialize to token account to find owner. We know this is a legitimate token
-            // account, so it is safe to borrow and unwrap here.
-            {
-                let mut acc_data: &[_] = &initial_offer_token.data.borrow();
-                let token_data = token::TokenAccount::try_deserialize(&mut acc_data).unwrap();
-                require_keys_eq!(
-                    token_data.owner,
-                    initial_participant.key(),
-                    ErrorCode::ConstraintTokenOwner
-                );
+        //
+        // Deserialize to token account to find owner. We check that this is a legitimate token
+        // account.
+        if let Some(token_data) =
+            utils::checked_deserialize_token_account(initial_offer_token, &custody_token.mint)
+        {
+            // Before setting the beneficiary to the initial participant, we need to make sure that
+            // he is the owner of this token account.
+            require_keys_eq!(
+                token_data.owner,
+                initial_participant.key(),
+                ErrorCode::ConstraintTokenOwner
+            );
 
-                beneficiary.replace(initial_participant.to_account_info());
-            }
+            beneficiary.replace(initial_participant.to_account_info());
 
             if best_offer_token.key() != initial_offer_token.key() {
                 // Pay the auction initiator their fee.
@@ -155,8 +156,8 @@ fn prepare_order_execution<'info>(
         // Return the security deposit and the fee to the highest bidder.
         //
         if best_offer_token.key() == executor_token.key() {
-            // If the best offer token is equal to the executor token, just send whatever remains in the
-            // custody token account.
+            // If the best offer token is equal to the executor token, just send whatever remains in
+            // the custody token account.
             //
             // NOTE: This will revert if the best offer token does not exist. But this will present
             // an opportunity for another executor to execute this order and take what the best
@@ -177,7 +178,9 @@ fn prepare_order_execution<'info>(
             // Otherwise, send the deposit and fee to the best offer token. If the best offer token
             // doesn't exist at this point (which would be unusual), we will reserve these funds
             // for the executor token.
-            if !best_offer_token.data_is_empty() {
+            if utils::checked_deserialize_token_account(best_offer_token, &custody_token.mint)
+                .is_some()
+            {
                 token::transfer(
                     CpiContext::new_with_signer(
                         token_program.to_account_info(),

solana/programs/matching-engine/src/processor/auction/offer/improve.rs

@@ -79,7 +79,9 @@ pub fn improve_offer(ctx: Context<ImproveOffer>, offer_price: u64) -> Result<()>
             // If the best offer token happens to be closed, we will just keep the funds in the
             // auction custody account. The executor token account will collect these funds when the
             // order is executed.
-            if !best_offer_token.data_is_empty() {
+            if utils::checked_deserialize_token_account(best_offer_token, &custody_token.mint)
+                .is_some()
+            {
                 token::transfer(
                     CpiContext::new_with_signer(
                         token_program.to_account_info(),

solana/programs/matching-engine/src/utils/mod.rs

@@ -4,6 +4,7 @@ pub mod auction;
 
 use crate::{error::MatchingEngineError, state::RouterEndpoint};
 use anchor_lang::prelude::*;
+use anchor_spl::token;
 use common::wormhole_cctp_solana::wormhole::{VaaAccount, SOLANA_CHAIN};
 
 pub trait VaaDigest {
@@ -40,3 +41,18 @@ pub fn require_local_endpoint(endpoint: &RouterEndpoint) -> Result<bool> {
 
     Ok(true)
 }
+
+pub fn checked_deserialize_token_account(
+    acc_info: &AccountInfo,
+    expected_mint: &Pubkey,
+) -> Option<token::TokenAccount> {
+    if acc_info.owner != &token::ID {
+        None
+    } else {
+        let data = acc_info.try_borrow_data().ok()?;
+
+        token::TokenAccount::try_deserialize(&mut &data[..])
+            .ok()
+            .filter(|token_data| &token_data.mint == expected_mint && !token_data.is_frozen())
+    }
+}

solana/ts/src/idl/json/matching_engine.json

@@ -685,6 +685,9 @@
             },
             {
               "name": "executor_token",
+              "docs": [
+                "Must be a token account, whose mint is [common::USDC_MINT]."
+              ],
               "writable": true
             },
             {
@@ -877,6 +880,9 @@
             },
             {
               "name": "executor_token",
+              "docs": [
+                "Must be a token account, whose mint is [common::USDC_MINT]."
+              ],
               "writable": true
             },
             {

solana/ts/src/idl/ts/matching_engine.ts

@@ -691,6 +691,9 @@ export type MatchingEngine = {
             },
             {
               "name": "executorToken",
+              "docs": [
+                "Must be a token account, whose mint is [common::USDC_MINT]."
+              ],
               "writable": true
             },
             {
@@ -883,6 +886,9 @@ export type MatchingEngine = {
             },
             {
               "name": "executorToken",
+              "docs": [
+                "Must be a token account, whose mint is [common::USDC_MINT]."
+              ],
               "writable": true
             },
             {