fix(programs): enforce extension checks for Compress with CToken-only outputs (H-01)

[ananas-block]

Summary

• Certora audit H-01: When compressing tokens from a CToken account with no compressed outputs, restricted extension checks were bypassed because no_compressed_outputs triggered check_mint_extensions() instead of parse_mint_extensions().
• Fix: Only skip restricted checks when decompressing with no compressed outputs, not when compressing.

Changes

• check_extensions.rs: Changed condition from is_compress_and_close() || no_compressed_outputs to is_compress_and_close() || (is_decompress() && no_compressed_outputs).

Summary by CodeRabbit

• Bug Fixes
  • Improved validation enforcement during token decompression operations to more strictly enforce mint extension restrictions, strengthening security checks for operations with existing outputs.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR refines bypass logic for mint extension checks in the compressed token transfer code. The condition was narrowed to restrict bypasses: instead of bypassing for CompressAndClose OR any mode with no compressed outputs, it now bypasses only for CompressAndClose OR Decompress with no outputs, ensuring checks remain enforced during Decompress operations with existing outputs. Comments updated accordingly.

Changes

Cohort / File(s)	Summary
Mint Extension Check Bypass Refinement programs/compressed-token/program/src/compressed_token/transfer2/check_extensions.rs	Narrowed bypass conditions in build_mint_extension_cache to enforce mint extension checks during Decompress with outputs, while maintaining bypass for CompressAndClose and Decompress with no outputs. Updated comments to clarify restriction enforcement behavior.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore: increase mint cache robustness #2237: Enforces presence of mint checks in the cache (MintNotInCache validation) and updates downstream usage of the mint extension cache, directly complementing this PR's bypass condition refinement.
• fix: compress and close hotpath #2059: Modifies CompressAndClose vs Decompress control flow for compressed token transfers, enforcing validation of compressed output presence, which relates to the distinction this PR introduces between Decompress modes.

Suggested labels

ai-review

Suggested reviewers

• sergeytimoshin
• SwenSchaeferjohann

Poem

✨ A bypass grows wise, its scope refined,
No longer broad where precision's assigned,
Decompress with outputs stands firm and true,
While CompressAndClose still slips right through! 🎯

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the primary change: enforcing extension checks for Compress mode with CToken-only outputs, directly addressing the Certora audit finding H-01.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 70.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jorrit/fix-certora-h01-extension-bypass

---

No actionable comments were generated in the recent review. 🎉

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ananas-block]

Closing in favor of #2246 which addresses the H-01 vulnerability at the correct enforcement point (decompress path), without breaking the legitimate Compress-with-no-outputs case.