Skip to content

fix: correct Associated Token Program ID for Solana payments#2

Merged
1bcMax merged 4 commits intoBlockRunAI:mainfrom
notorious-d-e-v:fix/solana-associated-token-program-id
Mar 13, 2026
Merged

fix: correct Associated Token Program ID for Solana payments#2
1bcMax merged 4 commits intoBlockRunAI:mainfrom
notorious-d-e-v:fix/solana-associated-token-program-id

Conversation

@notorious-d-e-v
Copy link
Contributor

@notorious-d-e-v notorious-d-e-v commented Mar 13, 2026
edited
Loading

Summary

Two bugs in x402.py that break all Solana payments:

1. Wrong Associated Token Program ID (line 247)

# Bug
ASSOCIATED_TOKEN_PROGRAM_ID = "ATokenGPvbdGVxr1b2hvZbsiqW5xWH25efTNsLJe1bRS"
# Fix
ASSOCIATED_TOKEN_PROGRAM_ID = "ATokenGPvbdGVxr1b2hvZbsiqW5xWH25efTNsLJA8knL"

Causes _get_ata() to derive wrong destination ATAs. Facilitator rejects with invalid_exact_svm_payload_recipient_mismatch.

2. Missing v0 version prefix when signing (line 386)

# Bug — signs raw message body
msg_bytes = bytes(message)
# Fix — includes 0x80 v0 prefix, which is what the validator verifies against
msg_bytes = b'\x80' + bytes(message)

Causes SignatureFailure during the facilitator's simulateTransaction(sigVerify: true).

Tests

  • Verifies ASSOCIATED_TOKEN_PROGRAM_ID matches Solana mainnet
  • Verifies ATA derivation against a known on-chain address
  • Verifies user signature is over 0x80 + message_body

Note

Both bugs would be eliminated by using the official x402 Python SDK (pip install x402[svm]) instead of manually reimplementing the x402 client logic. The official SDK's ExactSvmScheme handles ATA derivation, v0 signing, token program detection, and decimals correctly. See BlockRunAI/blockrun-agent-wallet#X for a tracking issue.

Reproduction

from blockrun_llm import setup_agent_solana_wallet
client = setup_agent_solana_wallet(silent=True)
client.x_trending()  # PaymentError: Payment rejected

@notorious-d-e-v
fix: correct Associated Token Program ID for Solana ATA derivation
e256ee7 
The ASSOCIATED_TOKEN_PROGRAM_ID constant was set to
ATokenGPvbdGVxr1b2hvZbsiqW5xWH25efTNsLJe1bRS (not a real program),
instead of the correct Solana mainnet program
ATokenGPvbdGVxr1b2hvZbsiqW5xWH25efTNsLJA8knL.

This caused _get_ata() to derive incorrect destination ATAs for every
Solana payment, resulting in the facilitator rejecting all payments
with `invalid_exact_svm_payload_recipient_mismatch`.
@notorious-d-e-v
test: add regression tests for ATA derivation and program ID
f7e4baf 
Verifies ASSOCIATED_TOKEN_PROGRAM_ID matches the real Solana mainnet
program, and that _get_ata() produces correct ATAs using a known
on-chain address as a reference.
@notorious-d-e-v
fix: include v0 version prefix (0x80) when signing Solana transactions
dde8dbe 
Solana v0 transactions require signatures over [0x80 + message_body],
but the SDK was signing just [message_body]. This caused the facilitator
to reject all payments with transaction_simulation_failed (SignatureFailure)
because the signatures didn't match what the validator expected.
@notorious-d-e-v
test: verify v0 transaction signature includes version prefix
f16e7f8 
Ensures the user signature in Solana payment payloads is over
0x80 + message_body, not just message_body. Without the prefix,
the facilitator's sigVerify simulation rejects the transaction.
@notorious-d-e-v notorious-d-e-v mentioned this pull request Mar 13, 2026
Closed
@1bcMax 1bcMax merged commit 7cd81c0 into BlockRunAI:main Mar 13, 2026
@notorious-d-e-v notorious-d-e-v mentioned this pull request Mar 13, 2026
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@notorious-d-e-v @1bcMax