From cb0823d68f302aaa5601c5c4a22c351379c375a0 Mon Sep 17 00:00:00 2001 From: ananas Date: Thu, 12 Feb 2026 17:06:15 +0000 Subject: [PATCH 1/3] chore: add token_pool test to CI and fix InvalidMint error expectation - Add test-compressed-token-token-pool to justfile CI targets - Fix failing_tests_add_token_pool to expect InvalidMint error instead of ConstraintSeeds (restricted_seed() parses mint before PDA check) --- .../compressed-token-test/tests/token_pool.rs | 11 +++-------- program-tests/justfile | 7 +++++-- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/program-tests/compressed-token-test/tests/token_pool.rs b/program-tests/compressed-token-test/tests/token_pool.rs index 46ab70219b..36fe4ade03 100644 --- a/program-tests/compressed-token-test/tests/token_pool.rs +++ b/program-tests/compressed-token-test/tests/token_pool.rs @@ -378,8 +378,8 @@ async fn failing_tests_add_token_pool() { ) .unwrap(); } - // 4. failing invalid mint - now fails with ConstraintSeeds because mint validation - // happens after PDA derivation (mint changed from InterfaceAccount to AccountInfo) + // 4. failing invalid mint - fails with InvalidMint because restricted_seed() is called + // in the seeds constraint and tries to parse mint data before PDA derivation check { let result = add_token_pool( &mut rpc, @@ -391,12 +391,7 @@ async fn failing_tests_add_token_pool() { FailingTestsAddTokenPool::InvalidMint, ) .await; - assert_rpc_error( - result, - 0, - anchor_lang::error::ErrorCode::ConstraintSeeds.into(), - ) - .unwrap(); + assert_rpc_error(result, 0, ErrorCode::InvalidMint.into()).unwrap(); } // 5. failing inconsistent mints { diff --git a/program-tests/justfile b/program-tests/justfile index b63c5fcdaa..b305eec372 100644 --- a/program-tests/justfile +++ b/program-tests/justfile @@ -52,7 +52,7 @@ test-system-cpi-v2-functional-account-infos: RUSTFLAGS="-D warnings" cargo test-sbf -p system-cpi-v2-test -- functional_account_infos # Compressed token tests -test-compressed-token: test-compressed-token-unit test-compressed-token-v1 test-compressed-token-mint test-compressed-token-light-token test-compressed-token-transfer2 +test-compressed-token: test-compressed-token-unit test-compressed-token-v1 test-compressed-token-mint test-compressed-token-light-token test-compressed-token-transfer2 test-compressed-token-token-pool test-compressed-token-unit: RUSTFLAGS="-D warnings" cargo test -p light-compressed-token @@ -69,6 +69,9 @@ test-compressed-token-light-token: test-compressed-token-transfer2: RUSTFLAGS="-D warnings" cargo test-sbf -p compressed-token-test --test transfer2 +test-compressed-token-token-pool: + RUSTFLAGS="-D warnings" cargo test-sbf -p compressed-token-test --test token_pool + # Compressed token batched tree test (flaky, may need retries) test-compressed-token-batched-tree: RUSTFLAGS="-D warnings" cargo test-sbf -p compressed-token-test -- test_transfer_with_photon_and_batched_tree @@ -102,7 +105,7 @@ ci-system-address: test-system-address test-e2e test-e2e-extended test-compresse ci-system-compression: test-system-compression test-system-re-init # Matches CI: compressed-token-and-e2e -ci-compressed-token-and-e2e: test-compressed-token-unit test-compressed-token-v1 test-compressed-token-mint +ci-compressed-token-and-e2e: test-compressed-token-unit test-compressed-token-v1 test-compressed-token-mint test-compressed-token-token-pool # Matches CI: compressed-token-batched-tree (with retry for flaky test) ci-compressed-token-batched-tree: From a283a6cd3a194a03e7b092a8dc7c145425699fd2 Mon Sep 17 00:00:00 2001 From: ananas Date: Thu, 12 Feb 2026 17:06:46 +0000 Subject: [PATCH 2/3] fix: enforce extension state checks for SPL compress (H-01 follow-up) Add extension state enforcement (paused, non-zero fees, non-nil hook) for SPL Token-2022 compress operations. Previously, SPL compress could bypass these checks, allowing an attacker to: 1. SPL Compress 10K with transfer fee mint (pool receives 9.9K) 2. SPL Decompress 10K (pool sends 10K) 3. Profit from the fee difference, draining pool funds Fix follows the same pattern as H-01 (PR #2246) - enforcement at the processing point in process_token_compression(), not in cache building. - Add enforce_extension_state() call for Compress mode in Token-2022 branch - Update test_spl_to_ctoken_fails_when_mint_paused to expect error 6127 (MintPaused from Light Token program) instead of 67 (SPL Token-2022) --- .../tests/compress_only/invalid_extension_state.rs | 1 + .../tests/light_token/extensions_failing.rs | 4 ++-- .../src/compressed_token/transfer2/compression/mod.rs | 6 ++++++ 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/program-tests/compressed-token-test/tests/compress_only/invalid_extension_state.rs b/program-tests/compressed-token-test/tests/compress_only/invalid_extension_state.rs index bfbabd6ad3..3d70c1625d 100644 --- a/program-tests/compressed-token-test/tests/compress_only/invalid_extension_state.rs +++ b/program-tests/compressed-token-test/tests/compress_only/invalid_extension_state.rs @@ -919,3 +919,4 @@ async fn test_ctoken_to_ctoken_blocked_by_non_nil_hook() { assert_rpc_error(result, 0, TRANSFER_HOOK_NOT_SUPPORTED).unwrap(); } + diff --git a/program-tests/compressed-token-test/tests/light_token/extensions_failing.rs b/program-tests/compressed-token-test/tests/light_token/extensions_failing.rs index 9291e7facf..7b70820bc4 100644 --- a/program-tests/compressed-token-test/tests/light_token/extensions_failing.rs +++ b/program-tests/compressed-token-test/tests/light_token/extensions_failing.rs @@ -412,8 +412,8 @@ async fn test_spl_to_ctoken_fails_when_mint_paused() { .rpc .create_and_send_transaction(&[transfer_ix], &payer.pubkey(), &[&payer]) .await; - // fails because of token 2022 check Transferring, minting, and burning is paused on this mint - assert_rpc_error(result, 0, 67).unwrap(); + // Fails in Light Token program with MintPaused (6127) before SPL transfer + assert_rpc_error(result, 0, 6127).unwrap(); println!("Correctly rejected SPL→Light Token when mint is paused"); } diff --git a/programs/compressed-token/program/src/compressed_token/transfer2/compression/mod.rs b/programs/compressed-token/program/src/compressed_token/transfer2/compression/mod.rs index 95e1beb9cf..41031ee92d 100644 --- a/programs/compressed-token/program/src/compressed_token/transfer2/compression/mod.rs +++ b/programs/compressed-token/program/src/compressed_token/transfer2/compression/mod.rs @@ -132,6 +132,12 @@ pub fn process_token_compression<'a>( return Err(ErrorCode::CompressedOnlyRequiresCTokenDecompress.into()); } + // Enforce extension state for SPL compress (paused, non-zero fees, non-nil hook). + // Decompress bypasses because it's exiting compressed state. + if compression.mode.is_compress() { + mint_checks.enforce_extension_state()?; + } + // Propagate whether mint is restricted to enable correct derivation of the spl interface pda. let is_restricted = mint_checks.has_restricted_extensions; spl::process_spl_compressions( From 70cdee490b889ea79bdafa34aaaa43e1267cd807 Mon Sep 17 00:00:00 2001 From: ananas Date: Thu, 12 Feb 2026 17:28:57 +0000 Subject: [PATCH 3/3] fix lint --- .../tests/compress_only/invalid_extension_state.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/program-tests/compressed-token-test/tests/compress_only/invalid_extension_state.rs b/program-tests/compressed-token-test/tests/compress_only/invalid_extension_state.rs index 3d70c1625d..bfbabd6ad3 100644 --- a/program-tests/compressed-token-test/tests/compress_only/invalid_extension_state.rs +++ b/program-tests/compressed-token-test/tests/compress_only/invalid_extension_state.rs @@ -919,4 +919,3 @@ async fn test_ctoken_to_ctoken_blocked_by_non_nil_hook() { assert_rpc_error(result, 0, TRANSFER_HOOK_NOT_SUPPORTED).unwrap(); } -