From d38901c5470a8657c00c4415c7fa7375417f9948 Mon Sep 17 00:00:00 2001
From: ananas-block <jorrit@lightprotocol.com>
Date: Fri, 6 Feb 2026 08:09:43 +0100
Subject: [PATCH 1/2] fix: reject rent sponsor self-referencing the token
 account

Audit issue #9 (INFO): The rent payer could be the same account as
the target token account being created. Add a check that rejects
this self-reference to prevent accounting issues.
---
 .../program/src/shared/initialize_ctoken_account.rs         | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/programs/compressed-token/program/src/shared/initialize_ctoken_account.rs b/programs/compressed-token/program/src/shared/initialize_ctoken_account.rs
index fb802be477..4c549b41a1 100644
--- a/programs/compressed-token/program/src/shared/initialize_ctoken_account.rs
+++ b/programs/compressed-token/program/src/shared/initialize_ctoken_account.rs
@@ -69,6 +69,12 @@ pub fn create_compressible_account<'info>(
     account_seeds: Option<&[Seed]>,
     is_ata: bool,
 ) -> Result<CompressibleInitData<'info>, ProgramError> {
+    // Validate rent payer is not the token account itself
+    if rent_payer.key() == target_account.key() {
+        msg!("Rent sponsor cannot be the token account itself");
+        return Err(ProgramError::InvalidAccountData);
+    }
+
     // Validate rent_payment != 1 (epoch boundary edge case)
     if compressible_config.rent_payment == 1 {
         msg!("Prefunding for exactly 1 epoch is not allowed. If the account is created near an epoch boundary, it could become immediately compressible. Use 0 or 2+ epochs.");

From 456b4556d45e1f14e719af26bc524c4dce47a682 Mon Sep 17 00:00:00 2001
From: ananas-block <jorrit@lightprotocol.com>
Date: Mon, 9 Feb 2026 16:45:36 +0100
Subject: [PATCH 2/2] test: add failing test rent sponsor self reference

---
 .../tests/light_token/create.rs               | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/program-tests/compressed-token-test/tests/light_token/create.rs b/program-tests/compressed-token-test/tests/light_token/create.rs
index 85e8773386..a9f9aa5296 100644
--- a/program-tests/compressed-token-test/tests/light_token/create.rs
+++ b/program-tests/compressed-token-test/tests/light_token/create.rs
@@ -694,4 +694,29 @@ async fn test_create_compressible_token_account_failing() {
         // Only version 3 (ShaFlat) is supported for compressible accounts
         light_program_test::utils::assert::assert_rpc_error(result, 0, 2).unwrap();
     }
+
+    // Test 13: Rent sponsor self-referencing token account (audit issue #9)
+    // The rent sponsor cannot be the same account as the token account being created.
+    // This would create a self-referencing loop that could corrupt account state.
+    // Error: 3 (InvalidAccountData)
+    {
+        context.token_account_keypair = Keypair::new();
+        let compressible_data = CompressibleData {
+            compression_authority: context.compression_authority,
+            rent_sponsor: context.token_account_keypair.pubkey(), // Self-reference!
+            num_prepaid_epochs: 2,
+            lamports_per_write: Some(100),
+            account_version: light_token_interface::state::TokenDataVersion::ShaFlat,
+            compress_to_pubkey: false,
+            payer: payer_pubkey,
+        };
+
+        create_and_assert_token_account_fails(
+            &mut context,
+            compressible_data,
+            "rent_sponsor_self_reference",
+            3, // InvalidAccountData
+        )
+        .await;
+    }
 }