Skip to content

fix: spl compress transfer fee check#2281

Merged
ananas-block merged 3 commits intomainfrom
fix/spl-compress-transfer-fee-check
Feb 12, 2026
Merged

fix: spl compress transfer fee check#2281
ananas-block merged 3 commits intomainfrom
fix/spl-compress-transfer-fee-check

Conversation

@ananas-block
Copy link
Contributor

@ananas-block ananas-block commented Feb 12, 2026
edited
Loading

Summary

Two commits implementing a security fix for SPL compress operations and CI improvements:

  1. Security fix: Enforce extension state checks (paused, non-zero fees, non-nil hooks) for SPL compress to prevent pool drain attacks
  2. CI/test fixes: Add token_pool tests to CI and fix error code expectations

Changes

  1. Add SPL compress extension state enforcement (compression/mod.rs)
    - Call enforce_extension_state() for Compress mode on Token-2022 mints (prevents transfer fee bypass attacks)
  2. Update test error expectation (extensions_failing.rs)
    - Change expected error from 67 (SPL Token-2022) to 6127 (Light Token's MintPaused) for earlier enforcement
  3. Fix token_pool test error expectation (token_pool.rs)
    - Change expected error from ConstraintSeeds to InvalidMint (restricted_seed() validation order)
  4. Add token_pool to CI test targets (justfile)
    - Add test-compressed-token-token-pool target
    - Include in test-compressed-token and ci-compressed-token-and-e2e aggregates

@ananas-block
chore: add token_pool test to CI and fix InvalidMint error expectation
cb0823d 
- Add test-compressed-token-token-pool to justfile CI targets
- Fix failing_tests_add_token_pool to expect InvalidMint error instead of
  ConstraintSeeds (restricted_seed() parses mint before PDA check)
@ananas-block
fix: enforce extension state checks for SPL compress (H-01 follow-up)
a283a6c 
Add extension state enforcement (paused, non-zero fees, non-nil hook)
for SPL Token-2022 compress operations. Previously, SPL compress could
bypass these checks, allowing an attacker to:
1. SPL Compress 10K with transfer fee mint (pool receives 9.9K)
2. SPL Decompress 10K (pool sends 10K)
3. Profit from the fee difference, draining pool funds

Fix follows the same pattern as H-01 (PR #2246) - enforcement at the
processing point in process_token_compression(), not in cache building.

- Add enforce_extension_state() call for Compress mode in Token-2022 branch
- Update test_spl_to_ctoken_fails_when_mint_paused to expect error 6127
  (MintPaused from Light Token program) instead of 67 (SPL Token-2022)
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 12, 2026
edited
Loading

Warning

Rate limit exceeded

@ananas-block has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 43 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/spl-compress-transfer-fee-check

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@ananas-block ananas-block merged commit c7866ee into main Feb 12, 2026
31 checks passed
@ananas-block ananas-block deleted the fix/spl-compress-transfer-fee-check branch February 12, 2026 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sergeytimoshin sergeytimoshin sergeytimoshin approved these changes

@SwenSchaeferjohann SwenSchaeferjohann SwenSchaeferjohann approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ananas-block @sergeytimoshin @SwenSchaeferjohann