fix: restore derived mint ix data mint comparison

[ananas-block]

Summary by CodeRabbit

• Bug Fixes
  • Added validation to detect and reject invalid mint configurations during transaction processing.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

A validation check was added to the create_mint function to verify that the computed SPL mint PDA matches the provided mint address from instruction data, returning an error early if validation fails.

Changes

Cohort / File(s)	Summary
SPL Mint PDA Validation programs/compressed-token/program/src/mint_action/actions/create_mint.rs	Added early validation to compare computed spl_mint_pda with parsed instruction mint address; logs error and returns MintActionInvalidMintPda on mismatch

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Attention area: Verify that the PDA derivation logic used for comparison matches the canonical derivation elsewhere in the codebase
• Attention area: Confirm the error code MintActionInvalidMintPda is the semantically correct error variant for this validation failure
• Attention area: Check whether the log message is appropriately descriptive for debugging

Poem

A guardian at the gate now stands,
Checking PDAs with careful hands,
"Does this mint belong here?" it asks with care,
No bogus addresses will slip through there! ✨🔐

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: restore derived mint ix data mint comparison' directly describes the main change: restoring a validation check that compares derived mint PDAs with instruction data.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 70.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jorrit/fix-restore-mint-action-mint-ix-data-cmp

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 82470c4 and ca6b065.

📒 Files selected for processing (1)

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs (1 hunks)

🧰 Additional context used

📓 Path-based instructions (4)

programs/compressed-token/program/src/**/*.rs

📄 CodeRabbit inference engine (programs/compressed-token/program/CLAUDE.md)

programs/compressed-token/program/src/**/*.rs: Compressed token accounts (ctoken solana accounts) must use the same account layout as SPL tokens with a custom Compressible extension
Compressed mint accounts (cmints) support only one extension: TokenMetadata

Files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

programs/compressed-token/program/src/mint_action/**/*.rs

📄 CodeRabbit inference engine (programs/compressed-token/program/CLAUDE.md)

MintAction instruction must support 9 action types: CreateCompressedMint, MintTo, UpdateMintAuthority, UpdateFreezeAuthority, CreateSplMint, MintToCToken, UpdateMetadataField, UpdateMetadataAuthority, RemoveMetadataKey

Files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

**/programs/**/src/**/*.rs

📄 CodeRabbit inference engine (DOCS.md)

For accounts with associated methods, add a Methods section grouping methods by purpose (Validation, Constructors, PDA Derivation, etc.) with concise parameter names in signatures, one-line action-oriented descriptions, and concrete values where helpful (constants, defaults)

Files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

programs/**/*.rs

📄 CodeRabbit inference engine (CLAUDE.md)

Unit tests in programs must not depend on light-test-utils; any test requiring light-test-utils must be in program-tests

Files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

🧠 Learnings (17)

📓 Common learnings

Learnt from: CR
Repo: Lightprotocol/light-protocol PR: 0
File: program-libs/account-checks/docs/ACCOUNT_CHECKS.md:0-0
Timestamp: 2025-11-24T17:58:50.237Z
Learning: Applies to program-libs/account-checks/docs/program-libs/account-checks/src/checks.rs : Implement `check_pda_seeds_with_bump` function to verify PDA with known bump seed using `create_program_address`, returning `InvalidSeeds` (20010) error on mismatch

Learnt from: CR
Repo: Lightprotocol/light-protocol PR: 0
File: program-libs/account-checks/docs/ACCOUNT_CHECKS.md:0-0
Timestamp: 2025-11-24T17:58:50.237Z
Learning: Applies to program-libs/account-checks/docs/program-libs/account-checks/src/checks.rs : Implement `check_pda_seeds` function to derive PDA using `find_program_address` and verify it matches account key, returning `InvalidSeeds` (20010) error on mismatch

📚 Learning: 2025-11-24T18:01:42.343Z

Learnt from: CR
Repo: Lightprotocol/light-protocol PR: 0
File: programs/compressed-token/program/CLAUDE.md:0-0
Timestamp: 2025-11-24T18:01:42.343Z
Learning: Applies to programs/compressed-token/program/src/mint_action/**/*.rs : MintAction instruction must support 9 action types: CreateCompressedMint, MintTo, UpdateMintAuthority, UpdateFreezeAuthority, CreateSplMint, MintToCToken, UpdateMetadataField, UpdateMetadataAuthority, RemoveMetadataKey

Applied to files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

📚 Learning: 2025-11-24T18:01:54.689Z

Learnt from: CR
Repo: Lightprotocol/light-protocol PR: 0
File: programs/compressed-token/program/docs/instructions/CLAUDE.md:0-0
Timestamp: 2025-11-24T18:01:54.689Z
Learning: Applies to programs/compressed-token/program/docs/instructions/instructions/MINT_ACTION.md : MintAction documentation must cover batch instruction for compressed mint management supporting 9 actions: CreateCompressedMint, MintTo, UpdateMintAuthority, UpdateFreezeAuthority, CreateSplMint, MintToCToken, UpdateMetadataField, UpdateMetadataAuthority, RemoveMetadataKey

Applied to files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

📚 Learning: 2025-11-24T17:58:50.237Z

Learnt from: CR
Repo: Lightprotocol/light-protocol PR: 0
File: program-libs/account-checks/docs/ACCOUNT_CHECKS.md:0-0
Timestamp: 2025-11-24T17:58:50.237Z
Learning: Applies to program-libs/account-checks/docs/program-libs/account-checks/src/checks.rs : Implement `check_pda_seeds_with_bump` function to verify PDA with known bump seed using `create_program_address`, returning `InvalidSeeds` (20010) error on mismatch

Applied to files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

📚 Learning: 2025-11-24T18:01:03.786Z

Learnt from: CR
Repo: Lightprotocol/light-protocol PR: 0
File: program-libs/account-checks/CLAUDE.md:0-0
Timestamp: 2025-11-24T18:01:03.786Z
Learning: Applies to program-libs/account-checks/src/account_info/*.rs : Provide PDA derivation functions (`find_program_address`, `create_program_address`) and permission checks in AccountInfoTrait

Applied to files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

📚 Learning: 2025-11-24T17:58:50.237Z

Learnt from: CR
Repo: Lightprotocol/light-protocol PR: 0
File: program-libs/account-checks/docs/ACCOUNT_CHECKS.md:0-0
Timestamp: 2025-11-24T17:58:50.237Z
Learning: Applies to program-libs/account-checks/docs/program-libs/account-checks/src/checks.rs : Implement `check_pda_seeds` function to derive PDA using `find_program_address` and verify it matches account key, returning `InvalidSeeds` (20010) error on mismatch

Applied to files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

📚 Learning: 2025-11-24T17:59:54.233Z

Learnt from: CR
Repo: Lightprotocol/light-protocol PR: 0
File: program-libs/account-checks/docs/PACKED_ACCOUNTS.md:0-0
Timestamp: 2025-11-24T17:59:54.233Z
Learning: Applies to program-libs/account-checks/docs/program-libs/account-checks/src/**/*.rs : Provide descriptive names in ProgramPackedAccounts error messages (e.g., 'token_mint' instead of 'account')

Applied to files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

📚 Learning: 2025-11-24T18:01:42.343Z

Learnt from: CR
Repo: Lightprotocol/light-protocol PR: 0
File: programs/compressed-token/program/CLAUDE.md:0-0
Timestamp: 2025-11-24T18:01:42.343Z
Learning: Applies to programs/compressed-token/program/src/transfer2/**/*.rs : Transfer2 instruction must support Compress, Decompress, and CompressAndClose operations with multi-mint support and sum checks

Applied to files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

📚 Learning: 2025-11-24T18:01:42.343Z

Learnt from: CR
Repo: Lightprotocol/light-protocol PR: 0
File: programs/compressed-token/program/CLAUDE.md:0-0
Timestamp: 2025-11-24T18:01:42.343Z
Learning: Applies to programs/compressed-token/program/src/{claim,withdraw_funding_pool}*.rs : Claim and Withdraw Funding Pool instructions require config validation that allows Not Inactive state (active or deprecated OK)

Applied to files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

📚 Learning: 2025-11-24T17:59:23.357Z

Learnt from: CR
Repo: Lightprotocol/light-protocol PR: 0
File: program-libs/account-checks/docs/CLAUDE.md:0-0
Timestamp: 2025-11-24T17:59:23.357Z
Learning: Applies to program-libs/account-checks/docs/src/**/checks.rs : Implement comprehensive validation functions in the checks module covering ownership validation, permission checks, discriminator handling, and PDA verification

Applied to files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

📚 Learning: 2025-11-24T17:57:53.312Z

Learnt from: CR
Repo: Lightprotocol/light-protocol PR: 0
File: program-libs/batched-merkle-tree/docs/TREE_ACCOUNT.md:0-0
Timestamp: 2025-11-24T17:57:53.312Z
Learning: Applies to program-libs/batched-merkle-tree/docs/**/*.rs : Account validation for address trees must check: (1) account ownership by Light account compression program, (2) account discriminator is `BatchMta`, and (3) tree type is `ADDRESS_MERKLE_TREE_TYPE_V2` (5)

Applied to files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

📚 Learning: 2025-11-24T17:56:20.711Z

Learnt from: CR
Repo: Lightprotocol/light-protocol PR: 0
File: program-libs/batched-merkle-tree/docs/INITIALIZE_ADDRESS_TREE.md:0-0
Timestamp: 2025-11-24T17:56:20.711Z
Learning: Applies to program-libs/batched-merkle-tree/docs/src/initialize_address_tree.rs : Verify merkle_tree_account data length matches calculated size in `src/initialize_address_tree.rs`. Return error `AccountError::InvalidAccountSize` (error code: 12006) if account data length doesn't match calculated size requirements.

Applied to files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

📚 Learning: 2025-11-24T17:55:32.059Z

Learnt from: CR
Repo: Lightprotocol/light-protocol PR: 0
File: sdk-tests/sdk-ctoken-test/README.md:0-0
Timestamp: 2025-11-24T17:55:32.059Z
Learning: Applies to sdk-tests/sdk-ctoken-test/**/*.rs : Derive PDAs using `Pubkey::find_program_address()` before using in `invoke_signed()` calls, passing the bump as part of `signer_seeds`

Applied to files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

📚 Learning: 2025-11-24T17:59:03.485Z

Learnt from: CR
Repo: Lightprotocol/light-protocol PR: 0
File: program-libs/account-checks/docs/ACCOUNT_INFO_TRAIT.md:0-0
Timestamp: 2025-11-24T17:59:03.485Z
Learning: Applies to program-libs/account-checks/docs/**/*.rs : PDA derivation functions should accept `&[&[u8]]` for seeds and `&[u8; 32]` for program_id when using AccountInfoTrait methods `find_program_address()` or `create_program_address()`

Applied to files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

📚 Learning: 2025-11-24T17:56:50.011Z

Learnt from: CR
Repo: Lightprotocol/light-protocol PR: 0
File: program-libs/batched-merkle-tree/docs/INITIALIZE_STATE_TREE.md:0-0
Timestamp: 2025-11-24T17:56:50.011Z
Learning: Applies to program-libs/batched-merkle-tree/docs/src/initialize_state_tree.rs : Return error `AccountError::InvalidAccountSize` (error code 12006) when account data length doesn't match calculated size requirements

Applied to files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

📚 Learning: 2025-11-24T17:58:35.079Z

Learnt from: CR
Repo: Lightprotocol/light-protocol PR: 0
File: program-libs/batched-merkle-tree/docs/UPDATE_FROM_OUTPUT_QUEUE.md:0-0
Timestamp: 2025-11-24T17:58:35.079Z
Learning: Applies to program-libs/batched-merkle-tree/docs/src/merkle_tree.rs : Verify queue and tree association by matching pubkeys; error with `MerkleTreeAndQueueNotAssociated` (14001) if they don't match

Applied to files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

📚 Learning: 2025-11-24T17:59:03.485Z

Learnt from: CR
Repo: Lightprotocol/light-protocol PR: 0
File: program-libs/account-checks/docs/ACCOUNT_INFO_TRAIT.md:0-0
Timestamp: 2025-11-24T17:59:03.485Z
Learning: Applies to program-libs/account-checks/docs/program-libs/account-checks/src/account_info/pinocchio.rs : Pinocchio AccountInfo implementations should use native on-chain implementations for PDA functions when available, with fallback to solana_pubkey off-chain

Applied to files:

• programs/compressed-token/program/src/mint_action/actions/create_mint.rs

🧬 Code graph analysis (1)

programs/compressed-token/program/src/mint_action/actions/create_mint.rs (1)

program-libs/array-map/src/lib.rs (1)

• pubkey_eq (171-181)

⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (18)

• GitHub Check: programs (compressed-token-and-e2e, ["cargo-test-sbf -p compressed-token-test --test v1", "cargo-...
• GitHub Check: programs (light-system-program-address, ["cargo-test-sbf -p system-test -- test_with_address", "c...
• GitHub Check: programs (system-cpi-test, ["cargo-test-sbf -p system-cpi-test", "cargo test -p light-system-prog...
• GitHub Check: programs (compressed-token-batched-tree, ["cargo-test-sbf -p compressed-token-test -- test_transf...
• GitHub Check: stateless-js-v2
• GitHub Check: programs (account-compression-and-registry, ["cargo-test-sbf -p account-compression-test", "cargo...
• GitHub Check: programs (system-cpi-test-v2-functional-account-infos, ["cargo-test-sbf -p system-cpi-v2-test -- ...
• GitHub Check: programs (light-system-program-compression, ["cargo-test-sbf -p system-test -- test_with_compress...
• GitHub Check: programs (system-cpi-test-v2-functional-read-only, ["cargo-test-sbf -p system-cpi-v2-test -- func...
• GitHub Check: Forester e2e test
• GitHub Check: cli-v1
• GitHub Check: lint
• GitHub Check: stateless-js-v1
• GitHub Check: cli-v2
• GitHub Check: system-programs (sdk-libs, light-sdk-macros light-sdk light-program-test light-client light-compr...
• GitHub Check: system-programs (token test, ["cargo-test-sbf -p sdk-token-test"])
• GitHub Check: system-programs (native, ["cargo-test-sbf -p sdk-native-test", "cargo-test-sbf -p sdk-v1-native-t...
• GitHub Check: system-programs (anchor & pinocchio, ["cargo-test-sbf -p sdk-anchor-test", "cargo-test-sbf -p sdk...

🔇 Additional comments (1)

programs/compressed-token/program/src/mint_action/actions/create_mint.rs (1)

35-41: PDA vs instruction-data mint consistency check is correct and closes a real gap

This new pubkey_eq check between the derived spl_mint_pda and parsed_instruction_data.mint.metadata.mint is exactly the missing invariant:

• You first derive the canonical SPL mint PDA from COMPRESSED_MINT_SEED and mint_signer using crate::ID.
• You then assert that the mint pubkey embedded in the instruction data matches that PDA before using spl_mint_pda to derive the compressed address and populate new_address_params.

That prevents a malicious client from encoding an arbitrary mint in metadata.mint while still having the compressed address derived from the canonical PDA, and it fails fast with a specific MintActionInvalidMintPda error and clear log message. The placement (immediately after the create_mint presence check and before any further derivations) is also spot on.

Nice alignment with the PDA verification patterns from the account-checks learnings, applied here at the instruction-data level. Based on learnings, ...

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}