solana: add recipient manager to endpoint message

(this follows #162 on the EVM side)

Author: kcsongor

solana/modules/ntt-messages/src/endpoint.rs

@@ -19,6 +19,7 @@ pub trait Endpoint {
 )]
 pub struct EndpointMessageData<A: MaybeSpace> {
     pub source_manager: [u8; 32],
+    pub recipient_manager: [u8; 32],
     pub manager_payload: ManagerMessage<A>,
 }
 
@@ -70,13 +71,15 @@ where
 {
     pub fn new(
         source_manager: [u8; 32],
+        recipient_manager: [u8; 32],
         manager_payload: ManagerMessage<A>,
         endpoint_payload: Vec<u8>,
     ) -> Self {
         Self {
             _phantom: PhantomData,
             message_data: EndpointMessageData {
                 source_manager,
+                recipient_manager,
                 manager_payload,
             },
             endpoint_payload,
@@ -112,6 +115,7 @@ where
         }
 
         let source_manager = Readable::read(reader)?;
+        let recipient_manager = Readable::read(reader)?;
         // TODO: we need a way to easily check that decoding the payload
         // consumes the expected amount of bytes
         let _manager_payload_len: u16 = Readable::read(reader)?;
@@ -122,6 +126,7 @@ where
 
         Ok(EndpointMessage::new(
             source_manager,
+            recipient_manager,
             manager_payload,
             endpoint_payload,
         ))
@@ -148,13 +153,15 @@ where
             message_data:
                 EndpointMessageData {
                     source_manager,
+                    recipient_manager,
                     manager_payload,
                 },
             endpoint_payload,
         } = self;
 
         E::PREFIX.write(writer)?;
         source_manager.write(writer)?;
+        recipient_manager.write(writer)?;
         let len: u16 = u16::try_from(manager_payload.written_size()).expect("u16 overflow");
         len.write(writer)?;
         // TODO: review this in wormhole-io. The written_size logic is error prone. Instead,
@@ -180,7 +187,7 @@ mod test {
     //
     #[test]
     fn test_deserialize_endpoint_message() {
-        let data = hex::decode("9945ff10042942fafabe00000000000000000000000000000000000000000000000000000079000000367999a1014667921341234300000000000000000000000000000000000000000000000000004f994e545407000000000012d687beefface00000000000000000000000000000000000000000000000000000000feebcafe0000000000000000000000000000000000000000000000000000000000110000").unwrap();
+        let data = hex::decode("9945ff10042942fafabe0000000000000000000000000000000000000000000000000000042942fababe00000000000000000000000000000000000000000000000000000079000000367999a1014667921341234300000000000000000000000000000000000000000000000000004f994e545407000000000012d687beefface00000000000000000000000000000000000000000000000000000000feebcafe0000000000000000000000000000000000000000000000000000000000110000").unwrap();
         let mut vec = &data[..];
         let message: EndpointMessage<WormholeEndpoint, NativeTokenTransfer> =
             TypePrefixedPayload::read_payload(&mut vec).unwrap();
@@ -192,6 +199,10 @@ mod test {
                     0x04, 0x29, 0x42, 0xFA, 0xFA, 0xBE, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
                     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
                 ],
+                recipient_manager: [
+                    0x04, 0x29, 0x42, 0xFA, 0xBA, 0xBE, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+                    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+                ],
                 manager_payload: ManagerMessage {
                     sequence: 233968345345,
                     sender: [

solana/programs/example-native-token-transfers/src/endpoints/wormhole/instructions/release_outbound.rs

@@ -90,6 +90,7 @@ pub fn release_outbound(ctx: Context<ReleaseOutbound>, args: ReleaseOutboundArgs
     let message: EndpointMessage<WormholeEndpoint, NativeTokenTransfer> = EndpointMessage::new(
         // TODO: should we just put the ntt id here statically?
         accs.outbox_item.to_account_info().owner.to_bytes(),
+        accs.outbox_item.recipient_manager,
         ManagerMessage {
             sequence: accs.outbox_item.sequence,
             sender: accs.outbox_item.sender.to_bytes(),

solana/programs/example-native-token-transfers/src/error.rs

@@ -15,6 +15,8 @@ pub enum NTTError {
     InvalidEndpointSibling,
     #[msg("InvalidManagerSibling")]
     InvalidManagerSibling,
+    #[msg("InvalidRecipientManager")]
+    InvalidRecipientManager,
     #[msg("TransferAlreadyRedeemed")]
     TransferAlreadyRedeemed,
     #[msg("TransferNotApproved")]

solana/programs/example-native-token-transfers/src/instructions/redeem.rs

@@ -32,8 +32,10 @@ pub struct Redeem<'info> {
     pub sibling: Account<'info, ManagerSibling>,
 
     #[account(
-        // check that the messages is targeted to this chain
+        // check that the message is targeted to this chain
         constraint = endpoint_message.message.manager_payload.payload.to_chain == config.chain_id @ NTTError::InvalidChainId,
+        // check that we're the intended recipient
+        constraint = endpoint_message.message.recipient_manager == crate::ID.to_bytes() @ NTTError::InvalidRecipientManager,
         // NOTE: we don't replay protect VAAs. Instead, we replay protect
         // executing the messages themselves with the [`released`] flag.
         owner = endpoint.endpoint_address,

solana/programs/example-native-token-transfers/src/instructions/transfer.rs

@@ -11,6 +11,7 @@ use crate::{
         outbox::{OutboxItem, OutboxRateLimit},
         rate_limit::RateLimitResult,
     },
+    sibling::ManagerSibling,
 };
 
 // this will burn the funds and create an account that either allows sending the
@@ -88,9 +89,15 @@ pub struct TransferBurn<'info> {
         seeds = [InboxRateLimit::SEED_PREFIX, args.recipient_chain.id.to_be_bytes().as_ref()],
         bump = inbox_rate_limit.bump,
     )]
-    // NOTE: it would be nice to put this into `common`, but that way we don't
+    // NOTE: it would be nice to put these into `common`, but that way we don't
     // have access to the instruction args
     pub inbox_rate_limit: Account<'info, InboxRateLimit>,
+
+    #[account(
+        seeds = [ManagerSibling::SEED_PREFIX, args.recipient_chain.id.to_be_bytes().as_ref()],
+        bump = sibling.bump,
+    )]
+    pub sibling: Account<'info, ManagerSibling>,
 }
 
 // TODO: fees for relaying?
@@ -128,11 +135,14 @@ pub fn transfer_burn(ctx: Context<TransferBurn>, args: TransferArgs) -> Result<(
         amount,
     )?;
 
+    let recipient_manager = accs.sibling.address;
+
     insert_into_outbox(
         &mut accs.common,
         &mut accs.inbox_rate_limit,
         amount,
         recipient_chain,
+        recipient_manager,
         recipient_address,
         should_queue,
     )
@@ -150,10 +160,16 @@ pub struct TransferLock<'info> {
         seeds = [InboxRateLimit::SEED_PREFIX, args.recipient_chain.id.to_be_bytes().as_ref()],
         bump = inbox_rate_limit.bump,
     )]
-    // NOTE: it would be nice to put this into `common`, but that way we don't
+    // NOTE: it would be nice to put these into `common`, but that way we don't
     // have access to the instruction args
     pub inbox_rate_limit: Account<'info, InboxRateLimit>,
 
+    #[account(
+        seeds = [ManagerSibling::SEED_PREFIX, args.recipient_chain.id.to_be_bytes().as_ref()],
+        bump = sibling.bump,
+    )]
+    pub sibling: Account<'info, ManagerSibling>,
+
     #[account(
         mut,
         token::mint = common.mint,
@@ -200,11 +216,14 @@ pub fn transfer_lock(ctx: Context<TransferLock>, args: TransferArgs) -> Result<(
         accs.common.mint.decimals,
     )?;
 
+    let recipient_manager = accs.sibling.address;
+
     insert_into_outbox(
         &mut accs.common,
         &mut accs.inbox_rate_limit,
         amount,
         recipient_chain,
+        recipient_manager,
         recipient_address,
         should_queue,
     )
@@ -215,6 +234,7 @@ fn insert_into_outbox(
     inbox_rate_limit: &mut InboxRateLimit,
     amount: u64,
     recipient_chain: ChainId,
+    recipient_manager: [u8; 32],
     recipient_address: [u8; 32],
     should_queue: bool,
 ) -> Result<()> {
@@ -241,6 +261,7 @@ fn insert_into_outbox(
         amount: NormalizedAmount::normalize(amount, common.mint.decimals),
         sender: common.sender.key(),
         recipient_chain,
+        recipient_manager,
         recipient_address,
         release_timestamp,
         released: Bitmap::new(),

solana/programs/example-native-token-transfers/src/queue/outbox.rs

@@ -15,6 +15,7 @@ pub struct OutboxItem {
     pub amount: NormalizedAmount,
     pub sender: Pubkey,
     pub recipient_chain: ChainId,
+    pub recipient_manager: [u8; 32],
     pub recipient_address: [u8; 32],
     pub release_timestamp: i64,
     pub released: Bitmap,

solana/programs/example-native-token-transfers/tests/cancel_flow.rs

@@ -5,6 +5,7 @@ use anchor_lang::prelude::*;
 use common::setup::{TestData, OTHER_CHAIN, OTHER_ENDPOINT, OTHER_MANAGER, THIS_CHAIN};
 use example_native_token_transfers::{
     config::Mode,
+    error::NTTError,
     instructions::{RedeemArgs, TransferArgs},
     queue::{inbox::InboxRateLimit, outbox::OutboxRateLimit},
 };
@@ -13,8 +14,9 @@ use ntt_messages::{
     manager::ManagerMessage, normalized_amount::NormalizedAmount, ntt::NativeTokenTransfer,
 };
 use sdk::endpoints::wormhole::instructions::receive_message::ReceiveMessage;
+use solana_program::instruction::InstructionError;
 use solana_program_test::*;
-use solana_sdk::{signature::Keypair, signer::Signer};
+use solana_sdk::{signature::Keypair, signer::Signer, transaction::TransactionError};
 use wormhole_sdk::{Address, Vaa};
 
 use crate::{
@@ -45,6 +47,7 @@ fn init_transfer_accs_args(
 ) -> (Transfer, TransferArgs) {
     let accs = Transfer {
         payer: ctx.payer.pubkey(),
+        sibling: test_data.ntt.sibling(OTHER_CHAIN),
         mint: test_data.mint,
         from: test_data.user_token_account,
         from_authority: test_data.user.pubkey(),
@@ -101,6 +104,10 @@ async fn post_transfer_vaa(
     test_data: &TestData,
     sequence: u64,
     amount: u64,
+    // TODO: this is used for a negative testing of the recipient manager
+    // address. this should not be done in the cancel flow tests, but instead a
+    // dedicated receive transfer test suite
+    recipient_manager: Option<&Pubkey>,
     recipient: &Keypair,
 ) -> (Pubkey, ManagerMessage<NativeTokenTransfer>) {
     let manager_message = ManagerMessage {
@@ -116,8 +123,16 @@ async fn post_transfer_vaa(
             to: recipient.pubkey().to_bytes(),
         },
     };
+
     let endpoint_message: EndpointMessage<WormholeEndpoint, NativeTokenTransfer> =
-        EndpointMessage::new(OTHER_MANAGER, manager_message.clone(), vec![]);
+        EndpointMessage::new(
+            OTHER_MANAGER,
+            recipient_manager
+                .map(|k| k.to_bytes())
+                .unwrap_or_else(|| test_data.ntt.program.to_bytes()),
+            manager_message.clone(),
+            vec![],
+        );
 
     let vaa = Vaa {
         version: 1,
@@ -160,8 +175,8 @@ async fn test_cancel() {
     let recipient = Keypair::new();
     let (mut ctx, test_data) = setup(Mode::Locking).await;
 
-    let (vaa0, msg0) = post_transfer_vaa(&mut ctx, &test_data, 0, 1000, &recipient).await;
-    let (vaa1, msg1) = post_transfer_vaa(&mut ctx, &test_data, 1, 2000, &recipient).await;
+    let (vaa0, msg0) = post_transfer_vaa(&mut ctx, &test_data, 0, 1000, None, &recipient).await;
+    let (vaa1, msg1) = post_transfer_vaa(&mut ctx, &test_data, 1, 2000, None, &recipient).await;
 
     let inbound_limit_before = inbound_capacity(&mut ctx, &test_data).await;
     let outbound_limit_before = outbound_capacity(&mut ctx, &test_data).await;
@@ -250,3 +265,45 @@ async fn test_cancel() {
         inbound_capacity(&mut ctx, &test_data).await
     );
 }
+
+// TODO: this should not live in this file, move to a dedicated receive test suite
+#[tokio::test]
+async fn test_wrong_recipient_manager() {
+    let recipient = Keypair::new();
+    let (mut ctx, test_data) = setup(Mode::Locking).await;
+
+    let (vaa0, msg0) = post_transfer_vaa(
+        &mut ctx,
+        &test_data,
+        0,
+        1000,
+        Some(&Pubkey::default()),
+        &recipient,
+    )
+    .await;
+
+    receive_message(
+        &test_data.ntt,
+        init_receive_message_accs(&mut ctx, &test_data, vaa0, OTHER_CHAIN, 0),
+    )
+    .submit(&mut ctx)
+    .await
+    .unwrap();
+
+    let err = redeem(
+        &test_data.ntt,
+        init_redeem_accs(&mut ctx, &test_data, OTHER_CHAIN, msg0),
+        RedeemArgs {},
+    )
+    .submit(&mut ctx)
+    .await
+    .unwrap_err();
+
+    assert_eq!(
+        err.unwrap(),
+        TransactionError::InstructionError(
+            0,
+            InstructionError::Custom(NTTError::InvalidRecipientManager.into())
+        )
+    );
+}

solana/programs/example-native-token-transfers/tests/sdk/instructions/transfer.rs

@@ -13,6 +13,7 @@ pub struct Transfer {
     pub mint: Pubkey,
     pub from: Pubkey,
     pub from_authority: Pubkey,
+    pub sibling: Pubkey,
     pub outbox_item: Pubkey,
 }
 
@@ -30,6 +31,7 @@ pub fn transfer_burn(ntt: &NTT, transfer: Transfer, args: TransferArgs) -> Instr
     let accounts = example_native_token_transfers::accounts::TransferBurn {
         common: common(ntt, &transfer),
         inbox_rate_limit: ntt.inbox_rate_limit(chain_id),
+        sibling: transfer.sibling,
     };
 
     Instruction {
@@ -46,6 +48,7 @@ pub fn transfer_lock(ntt: &NTT, transfer: Transfer, args: TransferArgs) -> Instr
     let accounts = example_native_token_transfers::accounts::TransferLock {
         common: common(ntt, &transfer),
         inbox_rate_limit: ntt.inbox_rate_limit(chain_id),
+        sibling: transfer.sibling,
         custody: ntt.custody(&transfer.mint),
     };
     Instruction {