solana: Mark existing dylint warnings as false positives

Adds linting directives to ignore functions that have been reviewed for
safety.
Adds some missing function documentation

Author: johnsaigle

solana/programs/example-native-token-transfers/src/instructions/admin.rs

@@ -52,6 +52,8 @@ pub struct TransferOwnership<'info> {
     bpf_loader_upgradeable_program: Program<'info, BpfLoaderUpgradeable>,
 }
 
+#[allow(unknown_lints)]
+#[allow(missing_owner_check)]
 pub fn transfer_ownership(ctx: Context<TransferOwnership>) -> Result<()> {
     // Missing ownership check is OK here: new_owner is not expected to interact with this
     // instruction. Instead, they call [`claim_ownership`]. The whole intention of new_owner
@@ -67,6 +69,7 @@ pub fn transfer_ownership(ctx: Context<TransferOwnership>) -> Result<()> {
             bpf_loader_upgradeable::SetUpgradeAuthorityChecked {
                 program_data: ctx.accounts.program_data.to_account_info(),
                 current_authority: ctx.accounts.owner.to_account_info(),
+                // Missing ownership check is OK here: upgrade_lock is enforced to be a PDA.
                 new_authority: ctx.accounts.upgrade_lock.to_account_info(),
             },
             &[&[b"upgrade_lock", &[ctx.bumps.upgrade_lock]]],
@@ -107,6 +110,8 @@ pub struct ClaimOwnership<'info> {
     bpf_loader_upgradeable_program: Program<'info, BpfLoaderUpgradeable>,
 }
 
+#[allow(unknown_lints)]
+#[allow(missing_owner_check)]
 pub fn claim_ownership(ctx: Context<ClaimOwnership>) -> Result<()> {
     ctx.accounts.config.pending_owner = None;
     ctx.accounts.config.owner = ctx.accounts.new_owner.key();
@@ -118,6 +123,7 @@ pub fn claim_ownership(ctx: Context<ClaimOwnership>) -> Result<()> {
                 .to_account_info(),
             bpf_loader_upgradeable::SetUpgradeAuthorityChecked {
                 program_data: ctx.accounts.program_data.to_account_info(),
+                // Missing ownership check is OK here: upgrade_lock is enforced to be a PDA.
                 current_authority: ctx.accounts.upgrade_lock.to_account_info(),
                 new_authority: ctx.accounts.new_owner.to_account_info(),
             },

solana/programs/example-native-token-transfers/src/instructions/release_inbound.rs

@@ -60,6 +60,12 @@ pub struct ReleaseInboundMint<'info> {
 /// Setting this flag to `false` is useful when bundling this instruction
 /// together with [`crate::instructions::redeem`] in a transaction, so that the minting
 /// is attempted optimistically.
+/// SECURITY: Owner checks are disabled here. Ownership checks are enforced by implicit anchor constraints.
+/// SECURITY: Signer checks are disabled here. The signer is checked implicitly by [`ReleaseInbound`]
+/// which is wrapped by [`ReleaseInboundMint`].
+#[allow(unknown_lints)]
+#[allow(missing_owner_check)]
+#[allow(missing_signer_check)]
 pub fn release_inbound_mint(
     ctx: Context<ReleaseInboundMint>,
     args: ReleaseInboundArgs,
@@ -115,6 +121,12 @@ pub struct ReleaseInboundUnlock<'info> {
 /// Setting this flag to `false` is useful when bundling this instruction
 /// together with [`crate::instructions::redeem`], so that the unlocking
 /// is attempted optimistically.
+/// SECURITY: Owner checks are disabled here. Ownership checks are enforced by implicit anchor constraints.
+/// SECURITY: Signer checks are disabled here because anyone is permitted to send a release
+/// transaction
+#[allow(unknown_lints)]
+#[allow(missing_owner_check)]
+#[allow(missing_signer_check)]
 pub fn release_inbound_unlock(
     ctx: Context<ReleaseInboundUnlock>,
     args: ReleaseInboundArgs,

solana/programs/example-native-token-transfers/src/instructions/transfer.rs

@@ -102,6 +102,16 @@ pub struct TransferBurn<'info> {
 }
 
 // TODO: fees for relaying?
+/// Burns tokens and issues a corresponding notification to the outbox of the connected
+/// [`NttManagerPeer`].
+/// SECURITY: Owner checks are disabled here. Ownership checks are enforced by implicit 
+/// anchor constraints in the `Transfer` account struct.
+/// transaction
+/// SECURITY: Signer check is disabled here. The signer is checked via the `Transfer` struct
+/// wrapped by`TransferBurn`.
+#[allow(unknown_lints)]
+#[allow(missing_owner_check)]
+#[allow(missing_signer_check)]
 pub fn transfer_burn(ctx: Context<TransferBurn>, args: TransferArgs) -> Result<()> {
     require_eq!(
         ctx.accounts.common.config.mode,
@@ -124,6 +134,8 @@ pub fn transfer_burn(ctx: Context<TransferBurn>, args: TransferArgs) -> Result<(
         accs.peer.token_decimals,
     );
 
+    // Missing ownership checks are OK here. These accounts are verified via
+    // implicit constraints in `InterfaceAccount`, `TokenAccount` and `Mint` defined above.
     token_interface::burn(
         CpiContext::new_with_signer(
             accs.common.token_program.to_account_info(),
@@ -186,6 +198,16 @@ pub struct TransferLock<'info> {
 
 // TODO: fees for relaying?
 // TODO: factor out common bits
+/// Locks tokens and issues a corresponding notification to the outbox of the connected
+/// [`NttManagerPeer`].
+/// SECURITY: Owner checks are disabled here. Ownership checks are enforced by implicit 
+/// anchor constraints in the `Transfer` account struct.
+/// transaction
+/// SECURITY: Signer check is disabled here. The signer is checked via the `Transfer` struct
+/// wrapped by`TransferLock`
+#[allow(unknown_lints)]
+#[allow(missing_owner_check)]
+#[allow(missing_signer_check)]
 pub fn transfer_lock(ctx: Context<TransferLock>, args: TransferArgs) -> Result<()> {
     require_eq!(
         ctx.accounts.common.config.mode,
@@ -208,6 +230,8 @@ pub fn transfer_lock(ctx: Context<TransferLock>, args: TransferArgs) -> Result<(
         accs.peer.token_decimals,
     );
 
+    // Missing ownership checks are OK here. These accounts are verified via
+    // implicit constraints in `InterfaceAccount`, `TokenAccount` and `Mint` defined above.
     token_interface::transfer_checked(
         CpiContext::new_with_signer(
             accs.common.token_program.to_account_info(),

solana/programs/example-native-token-transfers/src/transceivers/wormhole/accounts.rs

@@ -28,6 +28,14 @@ pub struct WormholeAccounts<'info> {
     pub rent: Sysvar<'info, Rent>,
 }
 
+/// SECURITY: Owner checks are disabled. Each of [`WormholeAccounts::bridge`], [`WormholeAccounts::fee_collector`], 
+/// and [`WormholeAccounts::sequence`] must be checked by the Wormhole core bridge.
+/// wrapped by`TransferBurn`.
+/// SECURITY: Signer checks are disabled. The only valid sender is the
+/// [`wormhole::PostMessage::emitter`], enforced by the [`CpiContext`] below.
+#[allow(unknown_lints)]
+#[allow(missing_owner_check)]
+#[allow(missing_signer_check)]
 pub fn post_message<'info, A: TypePrefixedPayload>(
     wormhole: &WormholeAccounts<'info>,
     payer: AccountInfo<'info>,
@@ -68,6 +76,10 @@ pub fn post_message<'info, A: TypePrefixedPayload>(
     Ok(())
 }
 
+/// SECURITY: Owner and signer checks are disabled as this private function is used only by
+/// [`post_message`].
+#[allow(missing_owner_check)]
+#[allow(missing_signer_check)]
 fn pay_wormhole_fee<'info>(
     wormhole: &WormholeAccounts<'info>,
     payer: &AccountInfo<'info>,

solana/programs/example-native-token-transfers/src/transceivers/wormhole/instructions/broadcast_id.rs

@@ -30,6 +30,10 @@ pub struct BroadcastId<'info> {
     pub wormhole: WormholeAccounts<'info>,
 }
 
+/// SECURITY: Owner checks are disabled. [`token_interface::Mint`] performs implicit ownership
+/// checks for token accounts. [`BroadcastId::emitter`] is enforced to be a PDA.
+#[allow(unknown_lints)]
+#[allow(missing_owner_check)]
 pub fn broadcast_id(ctx: Context<BroadcastId>) -> Result<()> {
     let accs = ctx.accounts;
     let message = WormholeTransceiverInfo {

solana/programs/example-native-token-transfers/src/transceivers/wormhole/instructions/broadcast_peer.rs

@@ -39,6 +39,9 @@ pub struct BroadcastPeerArgs {
     pub chain_id: u16,
 }
 
+/// SECURITY: Owner checks are disabled. [`BroadcastPeer::emitter`] is enforced to be a PDA.
+#[allow(unknown_lints)]
+#[allow(missing_owner_check)]
 pub fn broadcast_peer(ctx: Context<BroadcastPeer>, args: BroadcastPeerArgs) -> Result<()> {
     let accs = ctx.accounts;
 

solana/programs/example-native-token-transfers/src/transceivers/wormhole/instructions/release_outbound.rs

@@ -54,6 +54,11 @@ pub struct ReleaseOutboundArgs {
     pub revert_on_delay: bool,
 }
 
+/// SECURITY: Owner checks are disabled. [`ReleaseOutbound::emitter`] is enforced to be a PDA.
+/// [`ReleaseOutbound::wormhole_message`] is verified by the Wormhole core bridge instead of this
+/// program.
+#[allow(unknown_lints)]
+#[allow(missing_owner_check)]
 pub fn release_outbound(ctx: Context<ReleaseOutbound>, args: ReleaseOutboundArgs) -> Result<()> {
     let accs = ctx.accounts;
     let released = accs.outbox_item.try_release(accs.transceiver.id)?;